public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
@ 2023-07-27  6:35 Sheng Wei
  2023-07-27  6:35 ` [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 Sheng Wei
                   ` (4 more replies)
  0 siblings, 5 replies; 17+ messages in thread
From: Sheng Wei @ 2023-07-27  6:35 UTC (permalink / raw)
  To: devel
  Cc: Jiewen Yao, Jian J Wang, Min Xu, Zeyi Chen, Fiona Wang, Xiaoyu Lu,
	Guomin Jiang, Michael D Kinney, Liming Gao

Patch V5:
Using define KEY_TYPE_RSASSA to replace the magic number.

Patch V4:
Determine the RSA algorithm by a supported algorithm list.

Patch V3:
Select SHA algorithm automaticly for a unsigned efi image.

Patch V2:
Determine the SHA algorithm by a supported algorithm list.
Create SHA context for each algorithm.

Test Case:
1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI shell. 
2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI shell. 
3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI shell. 
4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell

Test Result:
Pass

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>

Sheng Wei (3):
  MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
    ImageTimestampVerify
  SecurityPkg/SecureBoot: Support RSA 512 and RSA 384

 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
 MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
 MdePkg/MdePkg.dec                             |   2 +
 .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
 .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c                 |  73 +++---
 .../SecureBootConfigDxe.inf                   |  16 ++
 .../SecureBootConfigImpl.c                    | 114 +++++++--
 .../SecureBootConfigImpl.h                    |   7 +
 .../SecureBootConfigStrings.uni               |   6 +
 11 files changed, 421 insertions(+), 92 deletions(-)

-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107293): https://edk2.groups.io/g/devel/message/107293
Mute This Topic: https://groups.io/mt/100385941/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  2023-07-27  6:35 [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
@ 2023-07-27  6:35 ` Sheng Wei
  2023-07-27  6:35 ` [edk2-devel] [PATCH V5 2/3] CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify Sheng Wei
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 17+ messages in thread
From: Sheng Wei @ 2023-07-27  6:35 UTC (permalink / raw)
  To: devel
  Cc: Jiewen Yao, Jian J Wang, Min Xu, Zeyi Chen, Fiona Wang, Xiaoyu Lu,
	Guomin Jiang, Michael D Kinney, Liming Gao

Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Sheng Wei <w.sheng@intel.com>
---
 MdePkg/Include/Guid/ImageAuthentication.h | 26 +++++++++++++++++++++++
 MdePkg/MdePkg.dec                         |  2 ++
 2 files changed, 28 insertions(+)

diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h
index fe83596571..c8ea2c14fb 100644
--- a/MdePkg/Include/Guid/ImageAuthentication.h
+++ b/MdePkg/Include/Guid/ImageAuthentication.h
@@ -144,6 +144,30 @@ typedef struct {
     0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
   }
 
+///
+/// This identifies a signature containing an RSA-3072 key. The key (only the modulus
+/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
+/// order.
+/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
+/// of SignatureOwner component) + 384 bytes.
+///
+#define EFI_CERT_RSA3072_GUID \
+  { \
+    0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \
+  }
+
+///
+/// This identifies a signature containing an RSA-4096 key. The key (only the modulus
+/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
+/// order.
+/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
+/// of SignatureOwner component) + 512 bytes.
+///
+#define EFI_CERT_RSA4096_GUID \
+  { \
+    0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \
+  }
+
 ///
 /// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash.  The
 /// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of
@@ -330,6 +354,8 @@ typedef struct {
 extern EFI_GUID  gEfiImageSecurityDatabaseGuid;
 extern EFI_GUID  gEfiCertSha256Guid;
 extern EFI_GUID  gEfiCertRsa2048Guid;
+extern EFI_GUID  gEfiCertRsa3072Guid;
+extern EFI_GUID  gEfiCertRsa4096Guid;
 extern EFI_GUID  gEfiCertRsa2048Sha256Guid;
 extern EFI_GUID  gEfiCertSha1Guid;
 extern EFI_GUID  gEfiCertRsa2048Sha1Guid;
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index b85614992b..24e4779d33 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -581,6 +581,8 @@
   gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}
   gEfiCertSha256Guid             = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}
   gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}
+  gEfiCertRsa3072Guid            = { 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}
+  gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }}
   gEfiCertRsa2048Sha256Guid      = { 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
   gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe,  0x1, 0x49, 0x66, 0x31, 0xbd }}
   gEfiCertRsa2048Sha1Guid        = { 0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}
-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107294): https://edk2.groups.io/g/devel/message/107294
Mute This Topic: https://groups.io/mt/100385942/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [edk2-devel] [PATCH V5 2/3] CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify
  2023-07-27  6:35 [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
  2023-07-27  6:35 ` [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 Sheng Wei
@ 2023-07-27  6:35 ` Sheng Wei
  2023-07-27  9:42   ` Yao, Jiewen
  2023-07-27  6:35 ` [edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
                   ` (2 subsequent siblings)
  4 siblings, 1 reply; 17+ messages in thread
From: Sheng Wei @ 2023-07-27  6:35 UTC (permalink / raw)
  To: devel
  Cc: Jiewen Yao, Jian J Wang, Min Xu, Zeyi Chen, Fiona Wang, Xiaoyu Lu,
	Guomin Jiang, Michael D Kinney

Register and initialize sha384/sha512 digest algorithms for PKCS#7 Handling.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Sheng Wei <w.sheng@intel.com>
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index 027dbb6842..944bcf8d38 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -591,7 +591,8 @@ ImageTimestampVerify (
   // Register & Initialize necessary digest algorithms for PKCS#7 Handling.
   //
   if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0) ||
-      (EVP_add_digest (EVP_sha256 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
+      (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest (EVP_sha384 ()) == 0) ||
+      (EVP_add_digest (EVP_sha512 ()) == 0) || ((EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
   {
     return FALSE;
   }
-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107295): https://edk2.groups.io/g/devel/message/107295
Mute This Topic: https://groups.io/mt/100385943/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
  2023-07-27  6:35 [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
  2023-07-27  6:35 ` [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 Sheng Wei
  2023-07-27  6:35 ` [edk2-devel] [PATCH V5 2/3] CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify Sheng Wei
@ 2023-07-27  6:35 ` Sheng Wei
  2023-07-28  2:34   ` Yao, Jiewen
  2023-07-27  9:44 ` [edk2-devel] [PATCH V5 0/3] SecureBoot: " Yao, Jiewen
       [not found] ` <1775A5F91CFEF78E.27447@groups.io>
  4 siblings, 1 reply; 17+ messages in thread
From: Sheng Wei @ 2023-07-27  6:35 UTC (permalink / raw)
  To: devel; +Cc: Jiewen Yao, Jian J Wang, Min Xu, Zeyi Chen, Fiona Wang

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Signed-off-by: Sheng Wei <w.sheng@intel.com>
---
 .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
 .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
 .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
 .../DxeImageVerificationLib.c                 |  73 +++---
 .../SecureBootConfigDxe.inf                   |  16 ++
 .../SecureBootConfigImpl.c                    | 114 +++++++--
 .../SecureBootConfigImpl.h                    |   7 +
 .../SecureBootConfigStrings.uni               |   6 +
 8 files changed, 391 insertions(+), 91 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index d81c581d78..4c268a85cd 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Protocol/VariablePolicy.h>
 #include <Library/VariablePolicyLib.h>
 
+#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
+
+/**
+  Retrieves the size, in bytes, of the context buffer required for hash operations.
+
+  If this interface is not supported, then return zero.
+
+  @return  The size, in bytes, of the context buffer required for hash operations.
+  @retval  0   This interface is not supported.
+
+**/
+typedef
+UINTN
+(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
+  VOID
+  );
+
+/**
+  Initializes user-supplied memory pointed by Sha1Context as hash context for
+  subsequent use.
+
+  If HashContext is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[out]  HashContext  Pointer to Hashcontext being initialized.
+
+  @retval TRUE   Hash context initialization succeeded.
+  @retval FALSE  Hash context initialization failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_INIT)(
+  OUT  VOID  *HashContext
+  );
+
+/**
+  Digests the input data and updates Hash context.
+
+  This function performs Hash digest on a data buffer of the specified size.
+  It can be called multiple times to compute the digest of long or discontinuous data streams.
+  Hash context should be already correctly initialized by HashInit(), and should not be finalized
+  by HashFinal(). Behavior with invalid context is undefined.
+
+  If HashContext is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in, out]  HashContext  Pointer to the Hash context.
+  @param[in]       Data         Pointer to the buffer containing the data to be hashed.
+  @param[in]       DataSize     Size of Data buffer in bytes.
+
+  @retval TRUE   SHA-1 data digest succeeded.
+  @retval FALSE  SHA-1 data digest failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_UPDATE)(
+  IN OUT  VOID        *HashContext,
+  IN      CONST VOID  *Data,
+  IN      UINTN       DataSize
+  );
+
+/**
+  Completes computation of the Hash digest value.
+
+  This function completes hash computation and retrieves the digest value into
+  the specified memory. After this function has been called, the Hash context cannot
+  be used again.
+  Hash context should be already correctly initialized by HashInit(), and should not be
+  finalized by HashFinal(). Behavior with invalid Hash context is undefined.
+
+  If HashContext is NULL, then return FALSE.
+  If HashValue is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in, out]  HashContext  Pointer to the Hash context.
+  @param[out]      HashValue    Pointer to a buffer that receives the Hash digest
+                                value.
+
+  @retval TRUE   Hash digest computation succeeded.
+  @retval FALSE  Hash digest computation failed.
+  @retval FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EFI_HASH_FINAL)(
+  IN OUT  VOID   *HashContext,
+  OUT     UINT8  *HashValue
+  );
+
+typedef struct {
+  UINT32                       HashSize;
+  EFI_HASH_GET_CONTEXT_SIZE    GetContextSize;
+  EFI_HASH_INIT                Init;
+  EFI_HASH_UPDATE              Update;
+  EFI_HASH_FINAL               Final;
+  VOID                         **HashShaCtx;
+  UINT8                        *OidValue;
+  UINTN                        OidLength;
+} EFI_HASH_INFO;
+
 //
 // Public Exponent of RSA Key.
 //
 CONST UINT8  mRsaE[] = { 0x01, 0x00, 0x01 };
 
-CONST UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
+UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
+UINT8  mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 };
+UINT8  mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 };
+
+EFI_HASH_INFO  mHashInfo[] = {
+  {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9},
+  {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9},
+  {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9},
+};
 
 //
 // Requirement for different signature type which have been defined in UEFI spec.
@@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM  mSupportSigItem[] = {
   // {SigType,                       SigHeaderSize,   SigDataSize  }
   { EFI_CERT_SHA256_GUID,         0, 32            },
   { EFI_CERT_RSA2048_GUID,        0, 256           },
+  { EFI_CERT_RSA3072_GUID,        0, 384           },
+  { EFI_CERT_RSA4096_GUID,        0, 512           },
   { EFI_CERT_RSA2048_SHA256_GUID, 0, 256           },
   { EFI_CERT_SHA1_GUID,           0, 20            },
   { EFI_CERT_RSA2048_SHA1_GUID,   0, 256           },
@@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp (
 }
 
 /**
-  Calculate SHA256 digest of SignerCert CommonName + ToplevelCert tbsCertificate
+  Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate
   SignerCert and ToplevelCert are inside the signer certificate chain.
 
+  @param[in]  HashAlgId           Hash algorithm index
   @param[in]  SignerCert          A pointer to SignerCert data.
   @param[in]  SignerCertSize      Length of SignerCert data.
   @param[in]  TopLevelCert        A pointer to TopLevelCert data.
   @param[in]  TopLevelCertSize    Length of TopLevelCert data.
-  @param[out] Sha256Digest       Sha256 digest calculated.
+  @param[out] ShaDigest           Sha digest calculated.
 
   @return EFI_ABORTED          Digest process failed.
-  @return EFI_SUCCESS          SHA256 Digest is successfully calculated.
+  @return EFI_SUCCESS          SHA Digest is successfully calculated.
 
 **/
 EFI_STATUS
-CalculatePrivAuthVarSignChainSHA256Digest (
+CalculatePrivAuthVarSignChainSHADigest (
+  IN     UINT8  HashAlgId,
   IN     UINT8  *SignerCert,
   IN     UINTN  SignerCertSize,
   IN     UINT8  *TopLevelCert,
   IN     UINTN  TopLevelCertSize,
-  OUT    UINT8  *Sha256Digest
+  OUT    UINT8  *ShaDigest
   )
 {
   UINT8       *TbsCert;
@@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest (
   BOOLEAN     CryptoStatus;
   EFI_STATUS  Status;
 
+  if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
+    DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__, HashAlgId));
+    return EFI_ABORTED;
+  }
+
   CertCommonNameSize = sizeof (CertCommonName);
 
   //
@@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
   //
   // Digest SignerCert CN + TopLevelCert tbsCertificate
   //
-  ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
-  CryptoStatus = Sha256Init (mHashCtx);
+  ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize);
+  CryptoStatus = mHashInfo[HashAlgId].Init (*(mHashInfo[HashAlgId].HashShaCtx));
   if (!CryptoStatus) {
     return EFI_ABORTED;
   }
@@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
   //
   // '\0' is forced in CertCommonName. No overflow issue
   //
-  CryptoStatus = Sha256Update (
-                   mHashCtx,
+  CryptoStatus = mHashInfo[HashAlgId].Update (
+                   *(mHashInfo[HashAlgId].HashShaCtx),
                    CertCommonName,
                    AsciiStrLen (CertCommonName)
                    );
@@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest (
     return EFI_ABORTED;
   }
 
-  CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize);
+  CryptoStatus = mHashInfo[HashAlgId].Update (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize);
   if (!CryptoStatus) {
     return EFI_ABORTED;
   }
 
-  CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
+  CryptoStatus = mHashInfo[HashAlgId].Final (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest);
   if (!CryptoStatus) {
     return EFI_ABORTED;
   }
@@ -1516,9 +1638,10 @@ DeleteCertsFromDb (
 /**
   Insert signer's certificates for common authenticated variable with VariableName
   and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to
-  time based authenticated variable attributes. CertData is the SHA256 digest of
+  time based authenticated variable attributes. CertData is the SHA digest of
   SignerCert CommonName + TopLevelCert tbsCertificate.
 
+  @param[in]  HashAlgId         Hash algorithm index.
   @param[in]  VariableName      Name of authenticated Variable.
   @param[in]  VendorGuid        Vendor GUID of authenticated Variable.
   @param[in]  Attributes        Attributes of authenticated variable.
@@ -1536,6 +1659,7 @@ DeleteCertsFromDb (
 **/
 EFI_STATUS
 InsertCertsToDb (
+  IN     UINT8     HashAlgId,
   IN     CHAR16    *VariableName,
   IN     EFI_GUID  *VendorGuid,
   IN     UINT32    Attributes,
@@ -1556,12 +1680,16 @@ InsertCertsToDb (
   UINT32             CertDataSize;
   AUTH_CERT_DB_DATA  *Ptr;
   CHAR16             *DbName;
-  UINT8              Sha256Digest[SHA256_DIGEST_SIZE];
+  UINT8              ShaDigest[SHA_DIGEST_SIZE_MAX];
 
   if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) || (TopLevelCert == NULL)) {
     return EFI_INVALID_PARAMETER;
   }
 
+  if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
+    return EFI_INVALID_PARAMETER;
+  }
+
   if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
     //
     // Get variable "certdb".
@@ -1618,20 +1746,22 @@ InsertCertsToDb (
   // Construct new data content of variable "certdb" or "certdbv".
   //
   NameSize      = (UINT32)StrLen (VariableName);
-  CertDataSize  = sizeof (Sha256Digest);
+  CertDataSize  = mHashInfo[HashAlgId].HashSize;
   CertNodeSize  = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + NameSize * sizeof (CHAR16);
   NewCertDbSize = (UINT32)DataSize + CertNodeSize;
   if (NewCertDbSize > mMaxCertDbSize) {
     return EFI_OUT_OF_RESOURCES;
   }
 
-  Status = CalculatePrivAuthVarSignChainSHA256Digest (
+  Status = CalculatePrivAuthVarSignChainSHADigest (
+             HashAlgId,
              SignerCert,
              SignerCertSize,
              TopLevelCert,
              TopLevelCertSize,
-             Sha256Digest
+             ShaDigest
              );
+
   if (EFI_ERROR (Status)) {
     return Status;
   }
@@ -1663,7 +1793,7 @@ InsertCertsToDb (
 
   CopyMem (
     (UINT8 *)Ptr +  sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
-    Sha256Digest,
+    ShaDigest,
     CertDataSize
     );
 
@@ -1790,6 +1920,36 @@ CleanCertsFromDb (
   return Status;
 }
 
+/**
+  Find hash algorithm index
+
+  @param[in]  SigData      Pointer to the PKCS#7 message
+  @param[in]  SigDataSize  Length of the PKCS#7 message
+
+  @retval UINT8        Hash Algorithm Index
+**/
+UINT8
+FindHashAlgorithmIndex (
+  IN     UINT8         *SigData,
+  IN     UINT32        SigDataSize
+)
+{
+  UINT8 i;
+
+  for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) {
+    if (  (  (SigDataSize >= (13 + mHashInfo[i].OidLength))
+          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
+            && (CompareMem (SigData + 13, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0)))
+      || ((  (SigDataSize >= (32 +  mHashInfo[i].OidLength)))
+        && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
+          && (CompareMem (SigData + 32, mHashInfo[i].OidValue, mHashInfo[i].OidLength) == 0))))
+    {
+      break;
+    }
+  }
+  return i;
+}
+
 /**
   Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
 
@@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload (
   UINTN                          CertStackSize;
   UINT8                          *CertsInCertDb;
   UINT32                         CertsSizeinDb;
-  UINT8                          Sha256Digest[SHA256_DIGEST_SIZE];
+  UINT8                          ShaDigest[SHA_DIGEST_SIZE_MAX];
   EFI_CERT_DATA                  *CertDataPtr;
+  UINT8                          HashAlgId;
 
   //
   // 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain
@@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload (
 
   //
   // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
-  // signature. Only a digest algorithm of SHA-256 is accepted.
+  // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is accepted.
   //
   //    According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315):
   //        SignedData ::= SEQUENCE {
@@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload (
   //
   // Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Manual_process
   //
+  HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize);
   if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
-    if (  (  (SigDataSize >= (13 + sizeof (mSha256OidValue)))
-          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
-             || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))
-       && (  (SigDataSize >= (32 + sizeof (mSha256OidValue)))
-          && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
-             || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))))
-    {
+    if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
       return EFI_SECURITY_VIOLATION;
     }
   }
@@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload (
         goto Exit;
       }
 
-      if (CertsSizeinDb == SHA256_DIGEST_SIZE) {
+      if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) && (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) {
         //
         // Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb
         //
         CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
-        Status      = CalculatePrivAuthVarSignChainSHA256Digest (
+        Status      = CalculatePrivAuthVarSignChainSHADigest (
+                        HashAlgId,
                         CertDataPtr->CertDataBuffer,
                         ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
                         TopLevelCert,
                         TopLevelCertSize,
-                        Sha256Digest
+                        ShaDigest
                         );
-        if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb, CertsSizeinDb) != 0)) {
+        if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb, CertsSizeinDb) != 0)) {
           goto Exit;
         }
       } else {
@@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload (
       //
       CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
       Status      = InsertCertsToDb (
+                      HashAlgId,
                       VariableName,
                       VendorGuid,
                       Attributes,
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index b202e613bc..f7bf771d55 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -92,7 +92,9 @@ extern UINT32  mMaxCertDbSize;
 extern UINT32  mPlatformMode;
 extern UINT8   mVendorKeyState;
 
-extern VOID  *mHashCtx;
+extern VOID  *mHashSha256Ctx;
+extern VOID  *mHashSha384Ctx;
+extern VOID  *mHashSha512Ctx;
 
 extern AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn;
 
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index dc61ae840c..19e0004699 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -26,12 +26,14 @@ UINT32  mMaxCertDbSize;
 UINT32  mPlatformMode;
 UINT8   mVendorKeyState;
 
-EFI_GUID  mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID };
+EFI_GUID  mSignatureSupport[] = { EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID, EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID };
 
 //
 // Hash context pointer
 //
-VOID  *mHashCtx = NULL;
+VOID  *mHashSha256Ctx = NULL;
+VOID  *mHashSha384Ctx = NULL;
+VOID  *mHashSha512Ctx = NULL;
 
 VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] = {
   {
@@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] = {
   },
 };
 
-VOID  **mAuthVarAddressPointer[9];
+VOID  **mAuthVarAddressPointer[11];
 
 AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn = NULL;
 
@@ -120,7 +122,6 @@ AuthVariableLibInitialize (
   UINT32      VarAttr;
   UINT8       *Data;
   UINTN       DataSize;
-  UINTN       CtxSize;
   UINT8       SecureBootMode;
   UINT8       SecureBootEnable;
   UINT8       CustomMode;
@@ -135,9 +136,18 @@ AuthVariableLibInitialize (
   //
   // Initialize hash context.
   //
-  CtxSize  = Sha256GetContextSize ();
-  mHashCtx = AllocateRuntimePool (CtxSize);
-  if (mHashCtx == NULL) {
+  mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ());
+  if (mHashSha256Ctx == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ());
+  if (mHashSha384Ctx == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ());
+  if (mHashSha512Ctx == NULL) {
     return EFI_OUT_OF_RESOURCES;
   }
 
@@ -356,14 +366,16 @@ AuthVariableLibInitialize (
   AuthVarLibContextOut->AuthVarEntry        = mAuthVarEntry;
   AuthVarLibContextOut->AuthVarEntryCount   = ARRAY_SIZE (mAuthVarEntry);
   mAuthVarAddressPointer[0]                 = (VOID **)&mCertDbStore;
-  mAuthVarAddressPointer[1]                 = (VOID **)&mHashCtx;
-  mAuthVarAddressPointer[2]                 = (VOID **)&mAuthVarLibContextIn;
-  mAuthVarAddressPointer[3]                 = (VOID **)&(mAuthVarLibContextIn->FindVariable),
-  mAuthVarAddressPointer[4]                 = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
-  mAuthVarAddressPointer[5]                 = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
-  mAuthVarAddressPointer[6]                 = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
-  mAuthVarAddressPointer[7]                 = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
-  mAuthVarAddressPointer[8]                 = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
+  mAuthVarAddressPointer[1]                 = (VOID **)&mHashSha256Ctx;
+  mAuthVarAddressPointer[2]                 = (VOID **)&mHashSha384Ctx;
+  mAuthVarAddressPointer[3]                 = (VOID **)&mHashSha512Ctx;
+  mAuthVarAddressPointer[4]                 = (VOID **)&mAuthVarLibContextIn;
+  mAuthVarAddressPointer[5]                 = (VOID **)&(mAuthVarLibContextIn->FindVariable),
+  mAuthVarAddressPointer[6]                 = (VOID **)&(mAuthVarLibContextIn->FindNextVariable),
+  mAuthVarAddressPointer[7]                 = (VOID **)&(mAuthVarLibContextIn->UpdateVariable),
+  mAuthVarAddressPointer[8]                 = (VOID **)&(mAuthVarLibContextIn->GetScratchBuffer),
+  mAuthVarAddressPointer[9]                 = (VOID **)&(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
+  mAuthVarAddressPointer[10]                 = (VOID **)&(mAuthVarLibContextIn->AtRuntime),
   AuthVarLibContextOut->AddressPointer      = mAuthVarAddressPointer;
   AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer);
 
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 5d8dbd5468..88b2d3c6c1 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1620,7 +1620,7 @@ Done:
       in the security database "db", and no valid signature nor any hash value of the image may
       be reflected in the security database "dbx".
     Otherwise, the image is not signed,
-      The SHA256 hash value of the image must match a record in the security database "db", and
+      The hash value of the image must match a record in the security database "db", and
       not be reflected in the security data base "dbx".
 
   Caution: This function may receive untrusted input.
@@ -1690,6 +1690,8 @@ DxeImageVerificationHandler (
   EFI_STATUS                    VarStatus;
   UINT32                        VarAttr;
   BOOLEAN                       IsFound;
+  UINT8                         HashAlg;
+  BOOLEAN                       IsFoundInDatabase;
 
   SignatureList     = NULL;
   SignatureListSize = 0;
@@ -1699,6 +1701,7 @@ DxeImageVerificationHandler (
   Action            = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
   IsVerified        = FALSE;
   IsFound           = FALSE;
+  IsFoundInDatabase = FALSE;
 
   //
   // Check the image type and get policy setting.
@@ -1837,40 +1840,50 @@ DxeImageVerificationHandler (
   //
   if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) {
     //
-    // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db",
+    // This image is not signed. The hash value of the image must match a record in the security database "db",
     // and not be reflected in the security data base "dbx".
     //
-    if (!HashPeImage (HASHALG_SHA256)) {
-      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
-      goto Failed;
-    }
+    HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
+    while (HashAlg > 0) {
+      HashAlg--;
+      if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
+        continue;
+      }
+      if (!HashPeImage (HashAlg)) {
+        continue;
+      }
 
-    DbStatus = IsSignatureFoundInDatabase (
-                 EFI_IMAGE_SECURITY_DATABASE1,
-                 mImageDigest,
-                 &mCertType,
-                 mImageDigestSize,
-                 &IsFound
-                 );
-    if (EFI_ERROR (DbStatus) || IsFound) {
-      //
-      // Image Hash is in forbidden database (DBX).
-      //
-      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
-      goto Failed;
+      DbStatus = IsSignatureFoundInDatabase (
+                   EFI_IMAGE_SECURITY_DATABASE1,
+                   mImageDigest,
+                   &mCertType,
+                   mImageDigestSize,
+                   &IsFound
+                   );
+      if (EFI_ERROR (DbStatus) || IsFound) {
+        //
+        // Image Hash is in forbidden database (DBX).
+        //
+        DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
+        goto Failed;
+      }
+
+      DbStatus = IsSignatureFoundInDatabase (
+                   EFI_IMAGE_SECURITY_DATABASE,
+                   mImageDigest,
+                   &mCertType,
+                   mImageDigestSize,
+                   &IsFound
+                   );
+      if (!EFI_ERROR (DbStatus) && IsFound) {
+        //
+        // Image Hash is in allowed database (DB).
+        //
+        IsFoundInDatabase = TRUE;
+      }
     }
 
-    DbStatus = IsSignatureFoundInDatabase (
-                 EFI_IMAGE_SECURITY_DATABASE,
-                 mImageDigest,
-                 &mCertType,
-                 mImageDigestSize,
-                 &IsFound
-                 );
-    if (!EFI_ERROR (DbStatus) && IsFound) {
-      //
-      // Image Hash is in allowed database (DB).
-      //
+    if (IsFoundInDatabase) {
       return EFI_SUCCESS;
     }
 
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 1671d5be7c..cb52a16c09 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -70,6 +70,14 @@
   ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
   gEfiCertRsa2048Guid
 
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
+  gEfiCertRsa3072Guid
+
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
+  gEfiCertRsa4096Guid
+
   ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
   ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
   gEfiCertX509Guid
@@ -82,6 +90,14 @@
   ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
   gEfiCertSha256Guid
 
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
+  gEfiCertSha384Guid
+
+  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the signature.
+  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the signature.
+  gEfiCertSha512Guid
+
   ## SOMETIMES_CONSUMES      ## Variable:L"db"
   ## SOMETIMES_PRODUCES      ## Variable:L"db"
   ## SOMETIMES_CONSUMES      ## Variable:L"dbx"
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 0e31502b1b..de9d801109 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -560,7 +560,7 @@ ON_EXIT:
 
 **/
 EFI_STATUS
-EnrollRsa2048ToKek (
+EnrollRsaToKek (
   IN SECUREBOOT_CONFIG_PRIVATE_DATA  *Private
   )
 {
@@ -603,8 +603,19 @@ EnrollRsa2048ToKek (
 
   ASSERT (KeyBlob != NULL);
   KeyInfo = (CPL_KEY_INFO *)KeyBlob;
-  if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
-    DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supported.\n"));
+  if (KeyInfo->KeyType == KEY_TYPE_RSASSA) {
+    switch (KeyInfo->KeyLengthInBits / 8) {
+    case WIN_CERT_UEFI_RSA2048_SIZE:
+    case WIN_CERT_UEFI_RSA3072_SIZE:
+    case WIN_CERT_UEFI_RSA4096_SIZE:
+      break;
+    default :
+      DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072 and RSA4096 are supported.\n"));
+      Status = EFI_UNSUPPORTED;
+      goto ON_EXIT;
+    }
+  } else {
+    DEBUG ((DEBUG_ERROR, "Unsupported key type : %d, only 0 is supported.\n", KeyInfo->KeyType));
     Status = EFI_UNSUPPORTED;
     goto ON_EXIT;
   }
@@ -632,7 +643,7 @@ EnrollRsa2048ToKek (
   //
   KekSigListSize = sizeof (EFI_SIGNATURE_LIST)
                    + sizeof (EFI_SIGNATURE_DATA) - 1
-                   + WIN_CERT_UEFI_RSA2048_SIZE;
+                   + KeyLenInBytes;
 
   KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
   if (KekSigList == NULL) {
@@ -642,17 +653,32 @@ EnrollRsa2048ToKek (
 
   KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST)
                                   + sizeof (EFI_SIGNATURE_DATA) - 1
-                                  + WIN_CERT_UEFI_RSA2048_SIZE;
+                                  + (UINT32) KeyLenInBytes;
   KekSigList->SignatureHeaderSize = 0;
-  KekSigList->SignatureSize       = sizeof (EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE;
-  CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
+  KekSigList->SignatureSize       = sizeof (EFI_SIGNATURE_DATA) - 1 + (UINT32) KeyLenInBytes;
+  switch (KeyLenInBytes) {
+  case WIN_CERT_UEFI_RSA2048_SIZE:
+    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
+    break;
+  case WIN_CERT_UEFI_RSA3072_SIZE:
+    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
+    break;
+  case WIN_CERT_UEFI_RSA4096_SIZE:
+    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
+    break;
+    break;
+  default :
+    DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
+    Status = EFI_UNSUPPORTED;
+    goto ON_EXIT;
+  }
 
   KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_SIGNATURE_LIST));
   CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
   CopyMem (
     KEKSigData->SignatureData,
     KeyBlob + sizeof (CPL_KEY_INFO),
-    WIN_CERT_UEFI_RSA2048_SIZE
+    KeyLenInBytes
     );
 
   //
@@ -890,7 +916,7 @@ EnrollKeyExchangeKey (
   if (IsDerEncodeCertificate (FilePostFix)) {
     return EnrollX509ToKek (Private);
   } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
-    return EnrollRsa2048ToKek (Private);
+    return EnrollRsaToKek (Private);
   } else {
     //
     // File type is wrong, simply close it
@@ -1847,7 +1873,7 @@ HashPeImage (
   SectionHeader = NULL;
   Status        = FALSE;
 
-  if (HashAlg != HASHALG_SHA256) {
+  if ((HashAlg >= HASHALG_MAX)) {
     return FALSE;
   }
 
@@ -1856,8 +1882,25 @@ HashPeImage (
   //
   ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
 
-  mImageDigestSize = SHA256_DIGEST_SIZE;
-  mCertType        = gEfiCertSha256Guid;
+   switch (HashAlg) {
+    case HASHALG_SHA256:
+      mImageDigestSize = SHA256_DIGEST_SIZE;
+      mCertType        = gEfiCertSha256Guid;
+      break;
+
+    case HASHALG_SHA384:
+      mImageDigestSize = SHA384_DIGEST_SIZE;
+      mCertType        = gEfiCertSha384Guid;
+      break;
+
+    case HASHALG_SHA512:
+      mImageDigestSize = SHA512_DIGEST_SIZE;
+      mCertType        = gEfiCertSha512Guid;
+      break;
+
+    default:
+      return FALSE;
+  }
 
   CtxSize = mHash[HashAlg].GetContextSize ();
 
@@ -2251,6 +2294,7 @@ EnrollImageSignatureToSigDB (
   UINT32                     Attr;
   WIN_CERTIFICATE_UEFI_GUID  *GuidCertData;
   EFI_TIME                   Time;
+  UINT32                     HashAlg;
 
   Data         = NULL;
   GuidCertData = NULL;
@@ -2289,8 +2333,20 @@ EnrollImageSignatureToSigDB (
   }
 
   if (mSecDataDir->SizeOfCert == 0) {
-    if (!HashPeImage (HASHALG_SHA256)) {
-      Status =  EFI_SECURITY_VIOLATION;
+    Status = EFI_SECURITY_VIOLATION;
+    HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
+    while (HashAlg > 0) {
+      HashAlg--;
+      if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit == NULL) || (mHash[HashAlg].HashUpdate == NULL) || (mHash[HashAlg].HashFinal == NULL)) {
+        continue;
+      }
+      if (HashPeImage (HashAlg)) {
+        Status = EFI_SUCCESS;
+        break;
+      }
+    }
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));
       goto ON_EXIT;
     }
   } else {
@@ -2589,6 +2645,10 @@ UpdateDeletePage (
   while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
     if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {
       Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
+    } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)) {
+      Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);
+    } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)) {
+      Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);
     } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
       Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
     } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) {
@@ -2750,6 +2810,8 @@ DeleteKeyExchangeKey (
   GuidIndex      = 0;
   while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
     if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
+        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
+        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
         CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid))
     {
       CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize));
@@ -2952,6 +3014,8 @@ DeleteSignature (
   GuidIndex    = 0;
   while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
     if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
+        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
+        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
         CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
         CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
         CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) ||
@@ -3758,12 +3822,20 @@ LoadSignatureList (
   while ((RemainingSize > 0) && (RemainingSize >= ListWalker->SignatureListSize)) {
     if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Guid)) {
+      ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Guid)) {
+      ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_X509);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Guid)) {
+      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384);
+    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Guid)) {
+      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha256Guid)) {
       ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
     } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha384Guid)) {
@@ -4001,6 +4073,14 @@ FormatHelpInfo (
     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
     DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
     IsCert     = TRUE;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)) {
+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
+    DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
+    IsCert     = TRUE;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)) {
+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
+    DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
+    IsCert     = TRUE;
   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) {
     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509);
     DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
@@ -4011,6 +4091,12 @@ FormatHelpInfo (
   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) {
     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256);
     DataSize   = 32;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) {
+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384);
+    DataSize   = 48;
+  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) {
+    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512);
+    DataSize   = 64;
   } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Guid)) {
     ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
     DataSize   = 32;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
index 37c66f1b95..ff6e7301af 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
@@ -82,6 +82,8 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
 #define MAX_DIGEST_SIZE  SHA512_DIGEST_SIZE
 
 #define WIN_CERT_UEFI_RSA2048_SIZE  256
+#define WIN_CERT_UEFI_RSA3072_SIZE  384
+#define WIN_CERT_UEFI_RSA4096_SIZE  512
 
 //
 // Support hash types
@@ -98,6 +100,11 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
 //
 #define CER_PUBKEY_MIN_SIZE  256
 
+//
+// Define KeyType for public key storing file
+//
+#define KEY_TYPE_RSASSA  0
+
 //
 // Types of errors may occur during certificate enrollment.
 //
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index 0d01701de7..1b48acc800 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP    #language en-US "Read the public key of KEK from file"
 #string STR_FILE_EXPLORER_TITLE                   #language en-US "File Explorer"
 #string STR_CERT_TYPE_RSA2048_SHA256_GUID         #language en-US "RSA2048_SHA256_GUID"
+#string STR_CERT_TYPE_RSA3072_SHA384_GUID         #language en-US "RSA3072_SHA384_GUID"
+#string STR_CERT_TYPE_RSA4096_SHA512_GUID         #language en-US "RSA4096_SHA512_GUID"
 #string STR_CERT_TYPE_PCKS7_GUID                  #language en-US "PKCS7_GUID"
 #string STR_CERT_TYPE_SHA1_GUID                   #language en-US "SHA1_GUID"
 #string STR_CERT_TYPE_SHA256_GUID                 #language en-US "SHA256_GUID"
@@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #string STR_CERT_TYPE_X509_SHA512_GUID            #language en-US "X509_SHA512_GUID"
 
 #string STR_LIST_TYPE_RSA2048_SHA256              #language en-US "RSA2048_SHA256"
+#string STR_LIST_TYPE_RSA3072_SHA384              #language en-US "RSA3072_SHA384"
+#string STR_LIST_TYPE_RSA4096_SHA512              #language en-US "RSA4096_SHA512"
 #string STR_LIST_TYPE_X509                        #language en-US "X509"
 #string STR_LIST_TYPE_SHA1                        #language en-US "SHA1"
 #string STR_LIST_TYPE_SHA256                      #language en-US "SHA256"
+#string STR_LIST_TYPE_SHA384                      #language en-US "SHA384"
+#string STR_LIST_TYPE_SHA512                      #language en-US "SHA512"
 #string STR_LIST_TYPE_X509_SHA256                 #language en-US "X509_SHA256"
 #string STR_LIST_TYPE_X509_SHA384                 #language en-US "X509_SHA384"
 #string STR_LIST_TYPE_X509_SHA512                 #language en-US "X509_SHA512"
-- 
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107296): https://edk2.groups.io/g/devel/message/107296
Mute This Topic: https://groups.io/mt/100385944/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply related	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 2/3] CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify
  2023-07-27  6:35 ` [edk2-devel] [PATCH V5 2/3] CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify Sheng Wei
@ 2023-07-27  9:42   ` Yao, Jiewen
  0 siblings, 0 replies; 17+ messages in thread
From: Yao, Jiewen @ 2023-07-27  9:42 UTC (permalink / raw)
  To: Sheng, W, devel@edk2.groups.io
  Cc: Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona, Lu, Xiaoyu1,
	Jiang, Guomin, Kinney, Michael D

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, July 27, 2023 2:35 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang,
> Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>
> Subject: [PATCH V5 2/3] CryptoPkg/Library/BaseCryptLib: add sha384 and sha512
> to ImageTimestampVerify
> 
> Register and initialize sha384/sha512 digest algorithms for PKCS#7 Handling.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Sheng Wei <w.sheng@intel.com>
> ---
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> index 027dbb6842..944bcf8d38 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
> @@ -591,7 +591,8 @@ ImageTimestampVerify (
>    // Register & Initialize necessary digest algorithms for PKCS#7 Handling.
>    //
>    if ((EVP_add_digest (EVP_md5 ()) == 0) || (EVP_add_digest (EVP_sha1 ()) == 0)
> ||
> -      (EVP_add_digest (EVP_sha256 ()) == 0) || ((EVP_add_digest_alias
> (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
> +      (EVP_add_digest (EVP_sha256 ()) == 0) || (EVP_add_digest (EVP_sha384 ())
> == 0) ||
> +      (EVP_add_digest (EVP_sha512 ()) == 0) || ((EVP_add_digest_alias
> (SN_sha1WithRSAEncryption, SN_sha1WithRSA)) == 0))
>    {
>      return FALSE;
>    }
> --
> 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107299): https://edk2.groups.io/g/devel/message/107299
Mute This Topic: https://groups.io/mt/100385943/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
  2023-07-27  6:35 [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
                   ` (2 preceding siblings ...)
  2023-07-27  6:35 ` [edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
@ 2023-07-27  9:44 ` Yao, Jiewen
  2023-07-28  1:49   ` Sheng Wei
       [not found] ` <1775A5F91CFEF78E.27447@groups.io>
  4 siblings, 1 reply; 17+ messages in thread
From: Yao, Jiewen @ 2023-07-27  9:44 UTC (permalink / raw)
  To: Sheng, W, devel@edk2.groups.io
  Cc: Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona, Lu, Xiaoyu1,
	Jiang, Guomin, Kinney, Michael D, Gao, Liming

Thanks. May I know what *negative* test you have done?


> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, July 27, 2023 2:35 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang,
> Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> 
> Patch V5:
> Using define KEY_TYPE_RSASSA to replace the magic number.
> 
> Patch V4:
> Determine the RSA algorithm by a supported algorithm list.
> 
> Patch V3:
> Select SHA algorithm automaticly for a unsigned efi image.
> 
> Patch V2:
> Determine the SHA algorithm by a supported algorithm list.
> Create SHA context for each algorithm.
> 
> Test Case:
> 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image under UEFI
> shell.
> 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image under UEFI
> shell.
> 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image under UEFI
> shell.
> 4. Enroll an unsigned efi image, execute the unsigned efi image under UEFI shell
> 
> Test Result:
> Pass
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> 
> Sheng Wei (3):
>   MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
>   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
>     ImageTimestampVerify
>   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> 
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
>  MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
>  MdePkg/MdePkg.dec                             |   2 +
>  .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
>  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c                 |  73 +++---
>  .../SecureBootConfigDxe.inf                   |  16 ++
>  .../SecureBootConfigImpl.c                    | 114 +++++++--
>  .../SecureBootConfigImpl.h                    |   7 +
>  .../SecureBootConfigStrings.uni               |   6 +
>  11 files changed, 421 insertions(+), 92 deletions(-)
> 
> --
> 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107300): https://edk2.groups.io/g/devel/message/107300
Mute This Topic: https://groups.io/mt/100385941/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
  2023-07-27  9:44 ` [edk2-devel] [PATCH V5 0/3] SecureBoot: " Yao, Jiewen
@ 2023-07-28  1:49   ` Sheng Wei
  2023-07-28  2:15     ` Yao, Jiewen
  0 siblings, 1 reply; 17+ messages in thread
From: Sheng Wei @ 2023-07-28  1:49 UTC (permalink / raw)
  To: Yao, Jiewen, devel@edk2.groups.io
  Cc: Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona, Lu, Xiaoyu1,
	Jiang, Guomin, Kinney, Michael D, Gao, Liming

Here are my negative tests.
1) Enroll a RSA2048 Cert, execute an unsigned efi image.
2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi image.

Test Result:
Get "Access Denied" when try to execute the efi image.

Thank you.
BR
Sheng Wei

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: 2023年7月27日 17:45
> To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> 
> Thanks. May I know what *negative* test you have done?
> 
> 
> > -----Original Message-----
> > From: Sheng, W <w.sheng@intel.com>
> > Sent: Thursday, July 27, 2023 2:35 PM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> > <gaoliming@byosoft.com.cn>
> > Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> >
> > Patch V5:
> > Using define KEY_TYPE_RSASSA to replace the magic number.
> >
> > Patch V4:
> > Determine the RSA algorithm by a supported algorithm list.
> >
> > Patch V3:
> > Select SHA algorithm automaticly for a unsigned efi image.
> >
> > Patch V2:
> > Determine the SHA algorithm by a supported algorithm list.
> > Create SHA context for each algorithm.
> >
> > Test Case:
> > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image
> > under UEFI shell.
> > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image
> > under UEFI shell.
> > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image
> > under UEFI shell.
> > 4. Enroll an unsigned efi image, execute the unsigned efi image under
> > UEFI shell
> >
> > Test Result:
> > Pass
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Min Xu <min.m.xu@intel.com>
> > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > Cc: Fiona Wang <fiona.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> >
> > Sheng Wei (3):
> >   MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
> >   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
> >     ImageTimestampVerify
> >   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> >
> >  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
> >  MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
> >  MdePkg/MdePkg.dec                             |   2 +
> >  .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
> >  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
> >  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
> >  .../DxeImageVerificationLib.c                 |  73 +++---
> >  .../SecureBootConfigDxe.inf                   |  16 ++
> >  .../SecureBootConfigImpl.c                    | 114 +++++++--
> >  .../SecureBootConfigImpl.h                    |   7 +
> >  .../SecureBootConfigStrings.uni               |   6 +
> >  11 files changed, 421 insertions(+), 92 deletions(-)
> >
> > --
> > 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107306): https://edk2.groups.io/g/devel/message/107306
Mute This Topic: https://groups.io/mt/100385941/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
  2023-07-28  1:49   ` Sheng Wei
@ 2023-07-28  2:15     ` Yao, Jiewen
  0 siblings, 0 replies; 17+ messages in thread
From: Yao, Jiewen @ 2023-07-28  2:15 UTC (permalink / raw)
  To: Sheng, W, devel@edk2.groups.io
  Cc: Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona, Lu, Xiaoyu1,
	Jiang, Guomin, Kinney, Michael D, Gao, Liming

OK. Thanks!

> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Friday, July 28, 2023 9:50 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> <gaoliming@byosoft.com.cn>
> Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> 
> Here are my negative tests.
> 1) Enroll a RSA2048 Cert, execute an unsigned efi image.
> 2) Enroll a RSA2048 Cert, execute a RSA4096 signed efi image.
> 3) Enroll a RSA4096 Cert, execute a RSA3072 signed efi image.
> 4) Enroll a RSA4096 Cert to both DB and DBX, execute the RSA4096 signed efi
> image.
> 
> Test Result:
> Get "Access Denied" when try to execute the efi image.
> 
> Thank you.
> BR
> Sheng Wei
> 
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: 2023年7月27日 17:45
> > To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> > Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > <guomin.jiang@intel.com>; Kinney, Michael D
> > <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> > Subject: RE: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> >
> > Thanks. May I know what *negative* test you have done?
> >
> >
> > > -----Original Message-----
> > > From: Sheng, W <w.sheng@intel.com>
> > > Sent: Thursday, July 27, 2023 2:35 PM
> > > To: devel@edk2.groups.io
> > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> > > <gaoliming@byosoft.com.cn>
> > > Subject: [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384
> > >
> > > Patch V5:
> > > Using define KEY_TYPE_RSASSA to replace the magic number.
> > >
> > > Patch V4:
> > > Determine the RSA algorithm by a supported algorithm list.
> > >
> > > Patch V3:
> > > Select SHA algorithm automaticly for a unsigned efi image.
> > >
> > > Patch V2:
> > > Determine the SHA algorithm by a supported algorithm list.
> > > Create SHA context for each algorithm.
> > >
> > > Test Case:
> > > 1. Enroll a RSA4096 Cert, and execute an RSA4096 signed efi image
> > > under UEFI shell.
> > > 2. Enroll a RSA3072 Cert, and execute an RSA3072 signed efi image
> > > under UEFI shell.
> > > 3. Enroll a RSA2048 Cert, and execute an RSA2048 signed efi image
> > > under UEFI shell.
> > > 4. Enroll an unsigned efi image, execute the unsigned efi image under
> > > UEFI shell
> > >
> > > Test Result:
> > > Pass
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Min Xu <min.m.xu@intel.com>
> > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > >
> > > Sheng Wei (3):
> > >   MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
> > >   CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to
> > >     ImageTimestampVerify
> > >   SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> > >
> > >  CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c   |   3 +-
> > >  MdePkg/Include/Guid/ImageAuthentication.h     |  26 +++
> > >  MdePkg/MdePkg.dec                             |   2 +
> > >  .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
> > >  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
> > >  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
> > >  .../DxeImageVerificationLib.c                 |  73 +++---
> > >  .../SecureBootConfigDxe.inf                   |  16 ++
> > >  .../SecureBootConfigImpl.c                    | 114 +++++++--
> > >  .../SecureBootConfigImpl.h                    |   7 +
> > >  .../SecureBootConfigStrings.uni               |   6 +
> > >  11 files changed, 421 insertions(+), 92 deletions(-)
> > >
> > > --
> > > 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107308): https://edk2.groups.io/g/devel/message/107308
Mute This Topic: https://groups.io/mt/100385941/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
  2023-07-27  6:35 ` [edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
@ 2023-07-28  2:34   ` Yao, Jiewen
  0 siblings, 0 replies; 17+ messages in thread
From: Yao, Jiewen @ 2023-07-28  2:34 UTC (permalink / raw)
  To: Sheng, W, devel@edk2.groups.io
  Cc: Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, July 27, 2023 2:35 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>
> Subject: [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3413
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Signed-off-by: Sheng Wei <w.sheng@intel.com>
> ---
>  .../Library/AuthVariableLib/AuthService.c     | 220 +++++++++++++++---
>  .../AuthVariableLib/AuthServiceInternal.h     |   4 +-
>  .../Library/AuthVariableLib/AuthVariableLib.c |  42 ++--
>  .../DxeImageVerificationLib.c                 |  73 +++---
>  .../SecureBootConfigDxe.inf                   |  16 ++
>  .../SecureBootConfigImpl.c                    | 114 +++++++--
>  .../SecureBootConfigImpl.h                    |   7 +
>  .../SecureBootConfigStrings.uni               |   6 +
>  8 files changed, 391 insertions(+), 91 deletions(-)
> 
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> index d81c581d78..4c268a85cd 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> @@ -29,12 +29,125 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #include <Protocol/VariablePolicy.h>
> 
>  #include <Library/VariablePolicyLib.h>
> 
> 
> 
> +#define SHA_DIGEST_SIZE_MAX SHA512_DIGEST_SIZE
> 
> +
> 
> +/**
> 
> +  Retrieves the size, in bytes, of the context buffer required for hash operations.
> 
> +
> 
> +  If this interface is not supported, then return zero.
> 
> +
> 
> +  @return  The size, in bytes, of the context buffer required for hash operations.
> 
> +  @retval  0   This interface is not supported.
> 
> +
> 
> +**/
> 
> +typedef
> 
> +UINTN
> 
> +(EFIAPI *EFI_HASH_GET_CONTEXT_SIZE)(
> 
> +  VOID
> 
> +  );
> 
> +
> 
> +/**
> 
> +  Initializes user-supplied memory pointed by Sha1Context as hash context for
> 
> +  subsequent use.
> 
> +
> 
> +  If HashContext is NULL, then return FALSE.
> 
> +  If this interface is not supported, then return FALSE.
> 
> +
> 
> +  @param[out]  HashContext  Pointer to Hashcontext being initialized.
> 
> +
> 
> +  @retval TRUE   Hash context initialization succeeded.
> 
> +  @retval FALSE  Hash context initialization failed.
> 
> +  @retval FALSE  This interface is not supported.
> 
> +
> 
> +**/
> 
> +typedef
> 
> +BOOLEAN
> 
> +(EFIAPI *EFI_HASH_INIT)(
> 
> +  OUT  VOID  *HashContext
> 
> +  );
> 
> +
> 
> +/**
> 
> +  Digests the input data and updates Hash context.
> 
> +
> 
> +  This function performs Hash digest on a data buffer of the specified size.
> 
> +  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> 
> +  Hash context should be already correctly initialized by HashInit(), and should
> not be finalized
> 
> +  by HashFinal(). Behavior with invalid context is undefined.
> 
> +
> 
> +  If HashContext is NULL, then return FALSE.
> 
> +  If this interface is not supported, then return FALSE.
> 
> +
> 
> +  @param[in, out]  HashContext  Pointer to the Hash context.
> 
> +  @param[in]       Data         Pointer to the buffer containing the data to be
> hashed.
> 
> +  @param[in]       DataSize     Size of Data buffer in bytes.
> 
> +
> 
> +  @retval TRUE   SHA-1 data digest succeeded.
> 
> +  @retval FALSE  SHA-1 data digest failed.
> 
> +  @retval FALSE  This interface is not supported.
> 
> +
> 
> +**/
> 
> +typedef
> 
> +BOOLEAN
> 
> +(EFIAPI *EFI_HASH_UPDATE)(
> 
> +  IN OUT  VOID        *HashContext,
> 
> +  IN      CONST VOID  *Data,
> 
> +  IN      UINTN       DataSize
> 
> +  );
> 
> +
> 
> +/**
> 
> +  Completes computation of the Hash digest value.
> 
> +
> 
> +  This function completes hash computation and retrieves the digest value into
> 
> +  the specified memory. After this function has been called, the Hash context
> cannot
> 
> +  be used again.
> 
> +  Hash context should be already correctly initialized by HashInit(), and should
> not be
> 
> +  finalized by HashFinal(). Behavior with invalid Hash context is undefined.
> 
> +
> 
> +  If HashContext is NULL, then return FALSE.
> 
> +  If HashValue is NULL, then return FALSE.
> 
> +  If this interface is not supported, then return FALSE.
> 
> +
> 
> +  @param[in, out]  HashContext  Pointer to the Hash context.
> 
> +  @param[out]      HashValue    Pointer to a buffer that receives the Hash digest
> 
> +                                value.
> 
> +
> 
> +  @retval TRUE   Hash digest computation succeeded.
> 
> +  @retval FALSE  Hash digest computation failed.
> 
> +  @retval FALSE  This interface is not supported.
> 
> +
> 
> +**/
> 
> +typedef
> 
> +BOOLEAN
> 
> +(EFIAPI *EFI_HASH_FINAL)(
> 
> +  IN OUT  VOID   *HashContext,
> 
> +  OUT     UINT8  *HashValue
> 
> +  );
> 
> +
> 
> +typedef struct {
> 
> +  UINT32                       HashSize;
> 
> +  EFI_HASH_GET_CONTEXT_SIZE    GetContextSize;
> 
> +  EFI_HASH_INIT                Init;
> 
> +  EFI_HASH_UPDATE              Update;
> 
> +  EFI_HASH_FINAL               Final;
> 
> +  VOID                         **HashShaCtx;
> 
> +  UINT8                        *OidValue;
> 
> +  UINTN                        OidLength;
> 
> +} EFI_HASH_INFO;
> 
> +
> 
>  //
> 
>  // Public Exponent of RSA Key.
> 
>  //
> 
>  CONST UINT8  mRsaE[] = { 0x01, 0x00, 0x01 };
> 
> 
> 
> -CONST UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
> 0x02, 0x01 };
> 
> +UINT8  mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
> 0x01 };
> 
> +UINT8  mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
> 0x02 };
> 
> +UINT8  mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02,
> 0x03 };
> 
> +
> 
> +EFI_HASH_INFO  mHashInfo[] = {
> 
> +  {SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update,
> Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9},
> 
> +  {SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update,
> Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9},
> 
> +  {SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update,
> Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9},
> 
> +};
> 
> 
> 
>  //
> 
>  // Requirement for different signature type which have been defined in UEFI
> spec.
> 
> @@ -44,6 +157,8 @@ EFI_SIGNATURE_ITEM  mSupportSigItem[] = {
>    // {SigType,                       SigHeaderSize,   SigDataSize  }
> 
>    { EFI_CERT_SHA256_GUID,         0, 32            },
> 
>    { EFI_CERT_RSA2048_GUID,        0, 256           },
> 
> +  { EFI_CERT_RSA3072_GUID,        0, 384           },
> 
> +  { EFI_CERT_RSA4096_GUID,        0, 512           },
> 
>    { EFI_CERT_RSA2048_SHA256_GUID, 0, 256           },
> 
>    { EFI_CERT_SHA1_GUID,           0, 20            },
> 
>    { EFI_CERT_RSA2048_SHA1_GUID,   0, 256           },
> 
> @@ -1090,26 +1205,28 @@ AuthServiceInternalCompareTimeStamp (
>  }
> 
> 
> 
>  /**
> 
> -  Calculate SHA256 digest of SignerCert CommonName + ToplevelCert
> tbsCertificate
> 
> +  Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate
> 
>    SignerCert and ToplevelCert are inside the signer certificate chain.
> 
> 
> 
> +  @param[in]  HashAlgId           Hash algorithm index
> 
>    @param[in]  SignerCert          A pointer to SignerCert data.
> 
>    @param[in]  SignerCertSize      Length of SignerCert data.
> 
>    @param[in]  TopLevelCert        A pointer to TopLevelCert data.
> 
>    @param[in]  TopLevelCertSize    Length of TopLevelCert data.
> 
> -  @param[out] Sha256Digest       Sha256 digest calculated.
> 
> +  @param[out] ShaDigest           Sha digest calculated.
> 
> 
> 
>    @return EFI_ABORTED          Digest process failed.
> 
> -  @return EFI_SUCCESS          SHA256 Digest is successfully calculated.
> 
> +  @return EFI_SUCCESS          SHA Digest is successfully calculated.
> 
> 
> 
>  **/
> 
>  EFI_STATUS
> 
> -CalculatePrivAuthVarSignChainSHA256Digest (
> 
> +CalculatePrivAuthVarSignChainSHADigest (
> 
> +  IN     UINT8  HashAlgId,
> 
>    IN     UINT8  *SignerCert,
> 
>    IN     UINTN  SignerCertSize,
> 
>    IN     UINT8  *TopLevelCert,
> 
>    IN     UINTN  TopLevelCertSize,
> 
> -  OUT    UINT8  *Sha256Digest
> 
> +  OUT    UINT8  *ShaDigest
> 
>    )
> 
>  {
> 
>    UINT8       *TbsCert;
> 
> @@ -1119,6 +1236,11 @@ CalculatePrivAuthVarSignChainSHA256Digest (
>    BOOLEAN     CryptoStatus;
> 
>    EFI_STATUS  Status;
> 
> 
> 
> +  if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> 
> +    DEBUG ((DEBUG_INFO, "%a Unsupported Hash Algorithm %d\n", __func__,
> HashAlgId));
> 
> +    return EFI_ABORTED;
> 
> +  }
> 
> +
> 
>    CertCommonNameSize = sizeof (CertCommonName);
> 
> 
> 
>    //
> 
> @@ -1141,8 +1263,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
>    //
> 
>    // Digest SignerCert CN + TopLevelCert tbsCertificate
> 
>    //
> 
> -  ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
> 
> -  CryptoStatus = Sha256Init (mHashCtx);
> 
> +  ZeroMem (ShaDigest, mHashInfo[HashAlgId].HashSize);
> 
> +  CryptoStatus = mHashInfo[HashAlgId].Init
> (*(mHashInfo[HashAlgId].HashShaCtx));
> 
>    if (!CryptoStatus) {
> 
>      return EFI_ABORTED;
> 
>    }
> 
> @@ -1150,8 +1272,8 @@ CalculatePrivAuthVarSignChainSHA256Digest (
>    //
> 
>    // '\0' is forced in CertCommonName. No overflow issue
> 
>    //
> 
> -  CryptoStatus = Sha256Update (
> 
> -                   mHashCtx,
> 
> +  CryptoStatus = mHashInfo[HashAlgId].Update (
> 
> +                   *(mHashInfo[HashAlgId].HashShaCtx),
> 
>                     CertCommonName,
> 
>                     AsciiStrLen (CertCommonName)
> 
>                     );
> 
> @@ -1159,12 +1281,12 @@ CalculatePrivAuthVarSignChainSHA256Digest (
>      return EFI_ABORTED;
> 
>    }
> 
> 
> 
> -  CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize);
> 
> +  CryptoStatus = mHashInfo[HashAlgId].Update
> (*(mHashInfo[HashAlgId].HashShaCtx), TbsCert, TbsCertSize);
> 
>    if (!CryptoStatus) {
> 
>      return EFI_ABORTED;
> 
>    }
> 
> 
> 
> -  CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
> 
> +  CryptoStatus = mHashInfo[HashAlgId].Final
> (*(mHashInfo[HashAlgId].HashShaCtx), ShaDigest);
> 
>    if (!CryptoStatus) {
> 
>      return EFI_ABORTED;
> 
>    }
> 
> @@ -1516,9 +1638,10 @@ DeleteCertsFromDb (
>  /**
> 
>    Insert signer's certificates for common authenticated variable with
> VariableName
> 
>    and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to
> 
> -  time based authenticated variable attributes. CertData is the SHA256 digest of
> 
> +  time based authenticated variable attributes. CertData is the SHA digest of
> 
>    SignerCert CommonName + TopLevelCert tbsCertificate.
> 
> 
> 
> +  @param[in]  HashAlgId         Hash algorithm index.
> 
>    @param[in]  VariableName      Name of authenticated Variable.
> 
>    @param[in]  VendorGuid        Vendor GUID of authenticated Variable.
> 
>    @param[in]  Attributes        Attributes of authenticated variable.
> 
> @@ -1536,6 +1659,7 @@ DeleteCertsFromDb (
>  **/
> 
>  EFI_STATUS
> 
>  InsertCertsToDb (
> 
> +  IN     UINT8     HashAlgId,
> 
>    IN     CHAR16    *VariableName,
> 
>    IN     EFI_GUID  *VendorGuid,
> 
>    IN     UINT32    Attributes,
> 
> @@ -1556,12 +1680,16 @@ InsertCertsToDb (
>    UINT32             CertDataSize;
> 
>    AUTH_CERT_DB_DATA  *Ptr;
> 
>    CHAR16             *DbName;
> 
> -  UINT8              Sha256Digest[SHA256_DIGEST_SIZE];
> 
> +  UINT8              ShaDigest[SHA_DIGEST_SIZE_MAX];
> 
> 
> 
>    if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) ||
> (TopLevelCert == NULL)) {
> 
>      return EFI_INVALID_PARAMETER;
> 
>    }
> 
> 
> 
> +  if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> 
> +    return EFI_INVALID_PARAMETER;
> 
> +  }
> 
> +
> 
>    if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
> 
>      //
> 
>      // Get variable "certdb".
> 
> @@ -1618,20 +1746,22 @@ InsertCertsToDb (
>    // Construct new data content of variable "certdb" or "certdbv".
> 
>    //
> 
>    NameSize      = (UINT32)StrLen (VariableName);
> 
> -  CertDataSize  = sizeof (Sha256Digest);
> 
> +  CertDataSize  = mHashInfo[HashAlgId].HashSize;
> 
>    CertNodeSize  = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize +
> NameSize * sizeof (CHAR16);
> 
>    NewCertDbSize = (UINT32)DataSize + CertNodeSize;
> 
>    if (NewCertDbSize > mMaxCertDbSize) {
> 
>      return EFI_OUT_OF_RESOURCES;
> 
>    }
> 
> 
> 
> -  Status = CalculatePrivAuthVarSignChainSHA256Digest (
> 
> +  Status = CalculatePrivAuthVarSignChainSHADigest (
> 
> +             HashAlgId,
> 
>               SignerCert,
> 
>               SignerCertSize,
> 
>               TopLevelCert,
> 
>               TopLevelCertSize,
> 
> -             Sha256Digest
> 
> +             ShaDigest
> 
>               );
> 
> +
> 
>    if (EFI_ERROR (Status)) {
> 
>      return Status;
> 
>    }
> 
> @@ -1663,7 +1793,7 @@ InsertCertsToDb (
> 
> 
>    CopyMem (
> 
>      (UINT8 *)Ptr +  sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
> 
> -    Sha256Digest,
> 
> +    ShaDigest,
> 
>      CertDataSize
> 
>      );
> 
> 
> 
> @@ -1790,6 +1920,36 @@ CleanCertsFromDb (
>    return Status;
> 
>  }
> 
> 
> 
> +/**
> 
> +  Find hash algorithm index
> 
> +
> 
> +  @param[in]  SigData      Pointer to the PKCS#7 message
> 
> +  @param[in]  SigDataSize  Length of the PKCS#7 message
> 
> +
> 
> +  @retval UINT8        Hash Algorithm Index
> 
> +**/
> 
> +UINT8
> 
> +FindHashAlgorithmIndex (
> 
> +  IN     UINT8         *SigData,
> 
> +  IN     UINT32        SigDataSize
> 
> +)
> 
> +{
> 
> +  UINT8 i;
> 
> +
> 
> +  for (i = 0; i < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO)); i++) {
> 
> +    if (  (  (SigDataSize >= (13 + mHashInfo[i].OidLength))
> 
> +          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
> 
> +            && (CompareMem (SigData + 13, mHashInfo[i].OidValue,
> mHashInfo[i].OidLength) == 0)))
> 
> +      || ((  (SigDataSize >= (32 +  mHashInfo[i].OidLength)))
> 
> +        && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) == TWO_BYTE_ENCODE)
> 
> +          && (CompareMem (SigData + 32, mHashInfo[i].OidValue,
> mHashInfo[i].OidLength) == 0))))
> 
> +    {
> 
> +      break;
> 
> +    }
> 
> +  }
> 
> +  return i;
> 
> +}
> 
> +
> 
>  /**
> 
>    Process variable with
> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
> 
> 
> 
> @@ -1857,8 +2017,9 @@ VerifyTimeBasedPayload (
>    UINTN                          CertStackSize;
> 
>    UINT8                          *CertsInCertDb;
> 
>    UINT32                         CertsSizeinDb;
> 
> -  UINT8                          Sha256Digest[SHA256_DIGEST_SIZE];
> 
> +  UINT8                          ShaDigest[SHA_DIGEST_SIZE_MAX];
> 
>    EFI_CERT_DATA                  *CertDataPtr;
> 
> +  UINT8                          HashAlgId;
> 
> 
> 
>    //
> 
>    // 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert
> Chain
> 
> @@ -1928,7 +2089,7 @@ VerifyTimeBasedPayload (
> 
> 
>    //
> 
>    // SignedData.digestAlgorithms shall contain the digest algorithm used when
> preparing the
> 
> -  // signature. Only a digest algorithm of SHA-256 is accepted.
> 
> +  // signature. Only a digest algorithm of SHA-256, SHA-384 or SHA-512 is
> accepted.
> 
>    //
> 
>    //    According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315):
> 
>    //        SignedData ::= SEQUENCE {
> 
> @@ -1972,14 +2133,9 @@ VerifyTimeBasedPayload (
>    //
> 
>    // Example generated with:
> https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_
> Boot#Manual_process
> 
>    //
> 
> +  HashAlgId = FindHashAlgorithmIndex (SigData, SigDataSize);
> 
>    if ((Attributes &
> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
> 
> -    if (  (  (SigDataSize >= (13 + sizeof (mSha256OidValue)))
> 
> -          && (  ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
> 
> -             || (CompareMem (SigData + 13, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0)))
> 
> -       && (  (SigDataSize >= (32 + sizeof (mSha256OidValue)))
> 
> -          && (  ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
> 
> -             || (CompareMem (SigData + 32, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0))))
> 
> -    {
> 
> +    if (HashAlgId >= (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) {
> 
>        return EFI_SECURITY_VIOLATION;
> 
>      }
> 
>    }
> 
> @@ -2170,19 +2326,20 @@ VerifyTimeBasedPayload (
>          goto Exit;
> 
>        }
> 
> 
> 
> -      if (CertsSizeinDb == SHA256_DIGEST_SIZE) {
> 
> +      if ((HashAlgId < (sizeof (mHashInfo) / sizeof (EFI_HASH_INFO))) &&
> (CertsSizeinDb == mHashInfo[HashAlgId].HashSize)) {
> 
>          //
> 
>          // Check hash of signer cert CommonName + Top-level issuer tbsCertificate
> against data in CertDb
> 
>          //
> 
>          CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
> 
> -        Status      = CalculatePrivAuthVarSignChainSHA256Digest (
> 
> +        Status      = CalculatePrivAuthVarSignChainSHADigest (
> 
> +                        HashAlgId,
> 
>                          CertDataPtr->CertDataBuffer,
> 
>                          ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
> 
>                          TopLevelCert,
> 
>                          TopLevelCertSize,
> 
> -                        Sha256Digest
> 
> +                        ShaDigest
> 
>                          );
> 
> -        if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb,
> CertsSizeinDb) != 0)) {
> 
> +        if (EFI_ERROR (Status) || (CompareMem (ShaDigest, CertsInCertDb,
> CertsSizeinDb) != 0)) {
> 
>            goto Exit;
> 
>          }
> 
>        } else {
> 
> @@ -2215,6 +2372,7 @@ VerifyTimeBasedPayload (
>        //
> 
>        CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
> 
>        Status      = InsertCertsToDb (
> 
> +                      HashAlgId,
> 
>                        VariableName,
> 
>                        VendorGuid,
> 
>                        Attributes,
> 
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> index b202e613bc..f7bf771d55 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> @@ -92,7 +92,9 @@ extern UINT32  mMaxCertDbSize;
>  extern UINT32  mPlatformMode;
> 
>  extern UINT8   mVendorKeyState;
> 
> 
> 
> -extern VOID  *mHashCtx;
> 
> +extern VOID  *mHashSha256Ctx;
> 
> +extern VOID  *mHashSha384Ctx;
> 
> +extern VOID  *mHashSha512Ctx;
> 
> 
> 
>  extern AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn;
> 
> 
> 
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> index dc61ae840c..19e0004699 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> @@ -26,12 +26,14 @@ UINT32  mMaxCertDbSize;
>  UINT32  mPlatformMode;
> 
>  UINT8   mVendorKeyState;
> 
> 
> 
> -EFI_GUID  mSignatureSupport[] = { EFI_CERT_SHA1_GUID,
> EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID };
> 
> +EFI_GUID  mSignatureSupport[] = { EFI_CERT_SHA1_GUID,
> EFI_CERT_SHA256_GUID, EFI_CERT_SHA384_GUID, EFI_CERT_SHA512_GUID,
> EFI_CERT_RSA2048_GUID, EFI_CERT_RSA3072_GUID,
> EFI_CERT_RSA4096_GUID, EFI_CERT_X509_GUID };
> 
> 
> 
>  //
> 
>  // Hash context pointer
> 
>  //
> 
> -VOID  *mHashCtx = NULL;
> 
> +VOID  *mHashSha256Ctx = NULL;
> 
> +VOID  *mHashSha384Ctx = NULL;
> 
> +VOID  *mHashSha512Ctx = NULL;
> 
> 
> 
>  VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] = {
> 
>    {
> 
> @@ -91,7 +93,7 @@ VARIABLE_ENTRY_PROPERTY  mAuthVarEntry[] = {
>    },
> 
>  };
> 
> 
> 
> -VOID  **mAuthVarAddressPointer[9];
> 
> +VOID  **mAuthVarAddressPointer[11];
> 
> 
> 
>  AUTH_VAR_LIB_CONTEXT_IN  *mAuthVarLibContextIn = NULL;
> 
> 
> 
> @@ -120,7 +122,6 @@ AuthVariableLibInitialize (
>    UINT32      VarAttr;
> 
>    UINT8       *Data;
> 
>    UINTN       DataSize;
> 
> -  UINTN       CtxSize;
> 
>    UINT8       SecureBootMode;
> 
>    UINT8       SecureBootEnable;
> 
>    UINT8       CustomMode;
> 
> @@ -135,9 +136,18 @@ AuthVariableLibInitialize (
>    //
> 
>    // Initialize hash context.
> 
>    //
> 
> -  CtxSize  = Sha256GetContextSize ();
> 
> -  mHashCtx = AllocateRuntimePool (CtxSize);
> 
> -  if (mHashCtx == NULL) {
> 
> +  mHashSha256Ctx = AllocateRuntimePool (Sha256GetContextSize ());
> 
> +  if (mHashSha256Ctx == NULL) {
> 
> +    return EFI_OUT_OF_RESOURCES;
> 
> +  }
> 
> +
> 
> +  mHashSha384Ctx = AllocateRuntimePool (Sha384GetContextSize ());
> 
> +  if (mHashSha384Ctx == NULL) {
> 
> +    return EFI_OUT_OF_RESOURCES;
> 
> +  }
> 
> +
> 
> +  mHashSha512Ctx = AllocateRuntimePool (Sha512GetContextSize ());
> 
> +  if (mHashSha512Ctx == NULL) {
> 
>      return EFI_OUT_OF_RESOURCES;
> 
>    }
> 
> 
> 
> @@ -356,14 +366,16 @@ AuthVariableLibInitialize (
>    AuthVarLibContextOut->AuthVarEntry        = mAuthVarEntry;
> 
>    AuthVarLibContextOut->AuthVarEntryCount   = ARRAY_SIZE (mAuthVarEntry);
> 
>    mAuthVarAddressPointer[0]                 = (VOID **)&mCertDbStore;
> 
> -  mAuthVarAddressPointer[1]                 = (VOID **)&mHashCtx;
> 
> -  mAuthVarAddressPointer[2]                 = (VOID **)&mAuthVarLibContextIn;
> 
> -  mAuthVarAddressPointer[3]                 = (VOID **)&(mAuthVarLibContextIn-
> >FindVariable),
> 
> -  mAuthVarAddressPointer[4]                 = (VOID **)&(mAuthVarLibContextIn-
> >FindNextVariable),
> 
> -  mAuthVarAddressPointer[5]                 = (VOID **)&(mAuthVarLibContextIn-
> >UpdateVariable),
> 
> -  mAuthVarAddressPointer[6]                 = (VOID **)&(mAuthVarLibContextIn-
> >GetScratchBuffer),
> 
> -  mAuthVarAddressPointer[7]                 = (VOID **)&(mAuthVarLibContextIn-
> >CheckRemainingSpaceForConsistency),
> 
> -  mAuthVarAddressPointer[8]                 = (VOID **)&(mAuthVarLibContextIn-
> >AtRuntime),
> 
> +  mAuthVarAddressPointer[1]                 = (VOID **)&mHashSha256Ctx;
> 
> +  mAuthVarAddressPointer[2]                 = (VOID **)&mHashSha384Ctx;
> 
> +  mAuthVarAddressPointer[3]                 = (VOID **)&mHashSha512Ctx;
> 
> +  mAuthVarAddressPointer[4]                 = (VOID **)&mAuthVarLibContextIn;
> 
> +  mAuthVarAddressPointer[5]                 = (VOID **)&(mAuthVarLibContextIn-
> >FindVariable),
> 
> +  mAuthVarAddressPointer[6]                 = (VOID **)&(mAuthVarLibContextIn-
> >FindNextVariable),
> 
> +  mAuthVarAddressPointer[7]                 = (VOID **)&(mAuthVarLibContextIn-
> >UpdateVariable),
> 
> +  mAuthVarAddressPointer[8]                 = (VOID **)&(mAuthVarLibContextIn-
> >GetScratchBuffer),
> 
> +  mAuthVarAddressPointer[9]                 = (VOID **)&(mAuthVarLibContextIn-
> >CheckRemainingSpaceForConsistency),
> 
> +  mAuthVarAddressPointer[10]                 = (VOID **)&(mAuthVarLibContextIn-
> >AtRuntime),
> 
>    AuthVarLibContextOut->AddressPointer      = mAuthVarAddressPointer;
> 
>    AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE
> (mAuthVarAddressPointer);
> 
> 
> 
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 5d8dbd5468..88b2d3c6c1 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1620,7 +1620,7 @@ Done:
>        in the security database "db", and no valid signature nor any hash value of the
> image may
> 
>        be reflected in the security database "dbx".
> 
>      Otherwise, the image is not signed,
> 
> -      The SHA256 hash value of the image must match a record in the security
> database "db", and
> 
> +      The hash value of the image must match a record in the security database
> "db", and
> 
>        not be reflected in the security data base "dbx".
> 
> 
> 
>    Caution: This function may receive untrusted input.
> 
> @@ -1690,6 +1690,8 @@ DxeImageVerificationHandler (
>    EFI_STATUS                    VarStatus;
> 
>    UINT32                        VarAttr;
> 
>    BOOLEAN                       IsFound;
> 
> +  UINT8                         HashAlg;
> 
> +  BOOLEAN                       IsFoundInDatabase;
> 
> 
> 
>    SignatureList     = NULL;
> 
>    SignatureListSize = 0;
> 
> @@ -1699,6 +1701,7 @@ DxeImageVerificationHandler (
>    Action            = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
> 
>    IsVerified        = FALSE;
> 
>    IsFound           = FALSE;
> 
> +  IsFoundInDatabase = FALSE;
> 
> 
> 
>    //
> 
>    // Check the image type and get policy setting.
> 
> @@ -1837,40 +1840,50 @@ DxeImageVerificationHandler (
>    //
> 
>    if ((SecDataDir == NULL) || (SecDataDir->Size == 0)) {
> 
>      //
> 
> -    // This image is not signed. The SHA256 hash value of the image must match a
> record in the security database "db",
> 
> +    // This image is not signed. The hash value of the image must match a record
> in the security database "db",
> 
>      // and not be reflected in the security data base "dbx".
> 
>      //
> 
> -    if (!HashPeImage (HASHALG_SHA256)) {
> 
> -      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image
> using %s.\n", mHashTypeStr));
> 
> -      goto Failed;
> 
> -    }
> 
> +    HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
> 
> +    while (HashAlg > 0) {
> 
> +      HashAlg--;
> 
> +      if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit
> == NULL) || (mHash[HashAlg].HashUpdate == NULL) ||
> (mHash[HashAlg].HashFinal == NULL)) {
> 
> +        continue;
> 
> +      }
> 
> +      if (!HashPeImage (HashAlg)) {
> 
> +        continue;
> 
> +      }
> 
> 
> 
> -    DbStatus = IsSignatureFoundInDatabase (
> 
> -                 EFI_IMAGE_SECURITY_DATABASE1,
> 
> -                 mImageDigest,
> 
> -                 &mCertType,
> 
> -                 mImageDigestSize,
> 
> -                 &IsFound
> 
> -                 );
> 
> -    if (EFI_ERROR (DbStatus) || IsFound) {
> 
> -      //
> 
> -      // Image Hash is in forbidden database (DBX).
> 
> -      //
> 
> -      DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s
> hash of image is forbidden by DBX.\n", mHashTypeStr));
> 
> -      goto Failed;
> 
> +      DbStatus = IsSignatureFoundInDatabase (
> 
> +                   EFI_IMAGE_SECURITY_DATABASE1,
> 
> +                   mImageDigest,
> 
> +                   &mCertType,
> 
> +                   mImageDigestSize,
> 
> +                   &IsFound
> 
> +                   );
> 
> +      if (EFI_ERROR (DbStatus) || IsFound) {
> 
> +        //
> 
> +        // Image Hash is in forbidden database (DBX).
> 
> +        //
> 
> +        DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed
> and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
> 
> +        goto Failed;
> 
> +      }
> 
> +
> 
> +      DbStatus = IsSignatureFoundInDatabase (
> 
> +                   EFI_IMAGE_SECURITY_DATABASE,
> 
> +                   mImageDigest,
> 
> +                   &mCertType,
> 
> +                   mImageDigestSize,
> 
> +                   &IsFound
> 
> +                   );
> 
> +      if (!EFI_ERROR (DbStatus) && IsFound) {
> 
> +        //
> 
> +        // Image Hash is in allowed database (DB).
> 
> +        //
> 
> +        IsFoundInDatabase = TRUE;
> 
> +      }
> 
>      }
> 
> 
> 
> -    DbStatus = IsSignatureFoundInDatabase (
> 
> -                 EFI_IMAGE_SECURITY_DATABASE,
> 
> -                 mImageDigest,
> 
> -                 &mCertType,
> 
> -                 mImageDigestSize,
> 
> -                 &IsFound
> 
> -                 );
> 
> -    if (!EFI_ERROR (DbStatus) && IsFound) {
> 
> -      //
> 
> -      // Image Hash is in allowed database (DB).
> 
> -      //
> 
> +    if (IsFoundInDatabase) {
> 
>        return EFI_SUCCESS;
> 
>      }
> 
> 
> 
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf
> index 1671d5be7c..cb52a16c09 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf
> @@ -70,6 +70,14 @@
>    ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the
> signature.
> 
>    gEfiCertRsa2048Guid
> 
> 
> 
> +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the
> signature.
> 
> +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the
> signature.
> 
> +  gEfiCertRsa3072Guid
> 
> +
> 
> +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the
> signature.
> 
> +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the
> signature.
> 
> +  gEfiCertRsa4096Guid
> 
> +
> 
>    ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the
> signature.
> 
>    ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the
> signature.
> 
>    gEfiCertX509Guid
> 
> @@ -82,6 +90,14 @@
>    ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the
> signature.
> 
>    gEfiCertSha256Guid
> 
> 
> 
> +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the
> signature.
> 
> +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the
> signature.
> 
> +  gEfiCertSha384Guid
> 
> +
> 
> +  ## SOMETIMES_CONSUMES      ## GUID            # Unique ID for the type of the
> signature.
> 
> +  ## SOMETIMES_PRODUCES      ## GUID            # Unique ID for the type of the
> signature.
> 
> +  gEfiCertSha512Guid
> 
> +
> 
>    ## SOMETIMES_CONSUMES      ## Variable:L"db"
> 
>    ## SOMETIMES_PRODUCES      ## Variable:L"db"
> 
>    ## SOMETIMES_CONSUMES      ## Variable:L"dbx"
> 
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c
> index 0e31502b1b..de9d801109 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c
> @@ -560,7 +560,7 @@ ON_EXIT:
> 
> 
>  **/
> 
>  EFI_STATUS
> 
> -EnrollRsa2048ToKek (
> 
> +EnrollRsaToKek (
> 
>    IN SECUREBOOT_CONFIG_PRIVATE_DATA  *Private
> 
>    )
> 
>  {
> 
> @@ -603,8 +603,19 @@ EnrollRsa2048ToKek (
> 
> 
>    ASSERT (KeyBlob != NULL);
> 
>    KeyInfo = (CPL_KEY_INFO *)KeyBlob;
> 
> -  if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
> 
> -    DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is
> supported.\n"));
> 
> +  if (KeyInfo->KeyType == KEY_TYPE_RSASSA) {
> 
> +    switch (KeyInfo->KeyLengthInBits / 8) {
> 
> +    case WIN_CERT_UEFI_RSA2048_SIZE:
> 
> +    case WIN_CERT_UEFI_RSA3072_SIZE:
> 
> +    case WIN_CERT_UEFI_RSA4096_SIZE:
> 
> +      break;
> 
> +    default :
> 
> +      DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048, RSA3072
> and RSA4096 are supported.\n"));
> 
> +      Status = EFI_UNSUPPORTED;
> 
> +      goto ON_EXIT;
> 
> +    }
> 
> +  } else {
> 
> +    DEBUG ((DEBUG_ERROR, "Unsupported key type : %d, only 0 is
> supported.\n", KeyInfo->KeyType));
> 
>      Status = EFI_UNSUPPORTED;
> 
>      goto ON_EXIT;
> 
>    }
> 
> @@ -632,7 +643,7 @@ EnrollRsa2048ToKek (
>    //
> 
>    KekSigListSize = sizeof (EFI_SIGNATURE_LIST)
> 
>                     + sizeof (EFI_SIGNATURE_DATA) - 1
> 
> -                   + WIN_CERT_UEFI_RSA2048_SIZE;
> 
> +                   + KeyLenInBytes;
> 
> 
> 
>    KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
> 
>    if (KekSigList == NULL) {
> 
> @@ -642,17 +653,32 @@ EnrollRsa2048ToKek (
> 
> 
>    KekSigList->SignatureListSize = sizeof (EFI_SIGNATURE_LIST)
> 
>                                    + sizeof (EFI_SIGNATURE_DATA) - 1
> 
> -                                  + WIN_CERT_UEFI_RSA2048_SIZE;
> 
> +                                  + (UINT32) KeyLenInBytes;
> 
>    KekSigList->SignatureHeaderSize = 0;
> 
> -  KekSigList->SignatureSize       = sizeof (EFI_SIGNATURE_DATA) - 1 +
> WIN_CERT_UEFI_RSA2048_SIZE;
> 
> -  CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> 
> +  KekSigList->SignatureSize       = sizeof (EFI_SIGNATURE_DATA) - 1 + (UINT32)
> KeyLenInBytes;
> 
> +  switch (KeyLenInBytes) {
> 
> +  case WIN_CERT_UEFI_RSA2048_SIZE:
> 
> +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
> 
> +    break;
> 
> +  case WIN_CERT_UEFI_RSA3072_SIZE:
> 
> +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa3072Guid);
> 
> +    break;
> 
> +  case WIN_CERT_UEFI_RSA4096_SIZE:
> 
> +    CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa4096Guid);
> 
> +    break;
> 
> +    break;
> 
> +  default :
> 
> +    DEBUG ((DEBUG_ERROR, "Unsupported key length.\n"));
> 
> +    Status = EFI_UNSUPPORTED;
> 
> +    goto ON_EXIT;
> 
> +  }
> 
> 
> 
>    KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof
> (EFI_SIGNATURE_LIST));
> 
>    CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
> 
>    CopyMem (
> 
>      KEKSigData->SignatureData,
> 
>      KeyBlob + sizeof (CPL_KEY_INFO),
> 
> -    WIN_CERT_UEFI_RSA2048_SIZE
> 
> +    KeyLenInBytes
> 
>      );
> 
> 
> 
>    //
> 
> @@ -890,7 +916,7 @@ EnrollKeyExchangeKey (
>    if (IsDerEncodeCertificate (FilePostFix)) {
> 
>      return EnrollX509ToKek (Private);
> 
>    } else if (CompareMem (FilePostFix, L".pbk", 4) == 0) {
> 
> -    return EnrollRsa2048ToKek (Private);
> 
> +    return EnrollRsaToKek (Private);
> 
>    } else {
> 
>      //
> 
>      // File type is wrong, simply close it
> 
> @@ -1847,7 +1873,7 @@ HashPeImage (
>    SectionHeader = NULL;
> 
>    Status        = FALSE;
> 
> 
> 
> -  if (HashAlg != HASHALG_SHA256) {
> 
> +  if ((HashAlg >= HASHALG_MAX)) {
> 
>      return FALSE;
> 
>    }
> 
> 
> 
> @@ -1856,8 +1882,25 @@ HashPeImage (
>    //
> 
>    ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
> 
> 
> 
> -  mImageDigestSize = SHA256_DIGEST_SIZE;
> 
> -  mCertType        = gEfiCertSha256Guid;
> 
> +   switch (HashAlg) {
> 
> +    case HASHALG_SHA256:
> 
> +      mImageDigestSize = SHA256_DIGEST_SIZE;
> 
> +      mCertType        = gEfiCertSha256Guid;
> 
> +      break;
> 
> +
> 
> +    case HASHALG_SHA384:
> 
> +      mImageDigestSize = SHA384_DIGEST_SIZE;
> 
> +      mCertType        = gEfiCertSha384Guid;
> 
> +      break;
> 
> +
> 
> +    case HASHALG_SHA512:
> 
> +      mImageDigestSize = SHA512_DIGEST_SIZE;
> 
> +      mCertType        = gEfiCertSha512Guid;
> 
> +      break;
> 
> +
> 
> +    default:
> 
> +      return FALSE;
> 
> +  }
> 
> 
> 
>    CtxSize = mHash[HashAlg].GetContextSize ();
> 
> 
> 
> @@ -2251,6 +2294,7 @@ EnrollImageSignatureToSigDB (
>    UINT32                     Attr;
> 
>    WIN_CERTIFICATE_UEFI_GUID  *GuidCertData;
> 
>    EFI_TIME                   Time;
> 
> +  UINT32                     HashAlg;
> 
> 
> 
>    Data         = NULL;
> 
>    GuidCertData = NULL;
> 
> @@ -2289,8 +2333,20 @@ EnrollImageSignatureToSigDB (
>    }
> 
> 
> 
>    if (mSecDataDir->SizeOfCert == 0) {
> 
> -    if (!HashPeImage (HASHALG_SHA256)) {
> 
> -      Status =  EFI_SECURITY_VIOLATION;
> 
> +    Status = EFI_SECURITY_VIOLATION;
> 
> +    HashAlg = sizeof (mHash) / sizeof (HASH_TABLE);
> 
> +    while (HashAlg > 0) {
> 
> +      HashAlg--;
> 
> +      if ((mHash[HashAlg].GetContextSize == NULL) || (mHash[HashAlg].HashInit
> == NULL) || (mHash[HashAlg].HashUpdate == NULL) ||
> (mHash[HashAlg].HashFinal == NULL)) {
> 
> +        continue;
> 
> +      }
> 
> +      if (HashPeImage (HashAlg)) {
> 
> +        Status = EFI_SUCCESS;
> 
> +        break;
> 
> +      }
> 
> +    }
> 
> +    if (EFI_ERROR (Status)) {
> 
> +      DEBUG ((DEBUG_ERROR, "Fail to get hash digest: %r", Status));
> 
>        goto ON_EXIT;
> 
>      }
> 
>    } else {
> 
> @@ -2589,6 +2645,10 @@ UpdateDeletePage (
>    while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
> 
>      if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {
> 
>        Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
> 
> +    } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid)) {
> 
> +      Help = STRING_TOKEN (STR_CERT_TYPE_RSA3072_SHA384_GUID);
> 
> +    } else if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid)) {
> 
> +      Help = STRING_TOKEN (STR_CERT_TYPE_RSA4096_SHA512_GUID);
> 
>      } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
> 
>        Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
> 
>      } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) {
> 
> @@ -2750,6 +2810,8 @@ DeleteKeyExchangeKey (
>    GuidIndex      = 0;
> 
>    while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
> 
>      if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
> 
> +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
> 
> +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
> 
>          CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid))
> 
>      {
> 
>        CopyMem (Data + Offset, CertList, (sizeof (EFI_SIGNATURE_LIST) + CertList-
> >SignatureHeaderSize));
> 
> @@ -2952,6 +3014,8 @@ DeleteSignature (
>    GuidIndex    = 0;
> 
>    while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
> 
>      if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
> 
> +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa3072Guid) ||
> 
> +        CompareGuid (&CertList->SignatureType, &gEfiCertRsa4096Guid) ||
> 
>          CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
> 
>          CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
> 
>          CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) ||
> 
> @@ -3758,12 +3822,20 @@ LoadSignatureList (
>    while ((RemainingSize > 0) && (RemainingSize >= ListWalker->SignatureListSize))
> {
> 
>      if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) {
> 
>        ListType = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
> 
> +    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa3072Guid))
> {
> 
> +      ListType = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> 
> +    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa4096Guid))
> {
> 
> +      ListType = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
> 
>      } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)) {
> 
>        ListType = STRING_TOKEN (STR_LIST_TYPE_X509);
> 
>      } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)) {
> 
>        ListType = STRING_TOKEN (STR_LIST_TYPE_SHA1);
> 
>      } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Guid)) {
> 
>        ListType = STRING_TOKEN (STR_LIST_TYPE_SHA256);
> 
> +    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha384Guid)) {
> 
> +      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA384);
> 
> +    } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha512Guid)) {
> 
> +      ListType = STRING_TOKEN (STR_LIST_TYPE_SHA512);
> 
>      } else if (CompareGuid (&ListWalker->SignatureType,
> &gEfiCertX509Sha256Guid)) {
> 
>        ListType = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
> 
>      } else if (CompareGuid (&ListWalker->SignatureType,
> &gEfiCertX509Sha384Guid)) {
> 
> @@ -4001,6 +4073,14 @@ FormatHelpInfo (
>      ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256);
> 
>      DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
> 
>      IsCert     = TRUE;
> 
> +  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa3072Guid)) {
> 
> +    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA3072_SHA384);
> 
> +    DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
> 
> +    IsCert     = TRUE;
> 
> +  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertRsa4096Guid)) {
> 
> +    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_RSA4096_SHA512);
> 
> +    DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
> 
> +    IsCert     = TRUE;
> 
>    } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Guid)) {
> 
>      ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509);
> 
>      DataSize   = ListEntry->SignatureSize - sizeof (EFI_GUID);
> 
> @@ -4011,6 +4091,12 @@ FormatHelpInfo (
>    } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha256Guid)) {
> 
>      ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA256);
> 
>      DataSize   = 32;
> 
> +  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha384Guid)) {
> 
> +    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA384);
> 
> +    DataSize   = 48;
> 
> +  } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertSha512Guid)) {
> 
> +    ListTypeId = STRING_TOKEN (STR_LIST_TYPE_SHA512);
> 
> +    DataSize   = 64;
> 
>    } else if (CompareGuid (&ListEntry->SignatureType, &gEfiCertX509Sha256Guid))
> {
> 
>      ListTypeId = STRING_TOKEN (STR_LIST_TYPE_X509_SHA256);
> 
>      DataSize   = 32;
> 
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.h
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.h
> index 37c66f1b95..ff6e7301af 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.h
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.h
> @@ -82,6 +82,8 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
>  #define MAX_DIGEST_SIZE  SHA512_DIGEST_SIZE
> 
> 
> 
>  #define WIN_CERT_UEFI_RSA2048_SIZE  256
> 
> +#define WIN_CERT_UEFI_RSA3072_SIZE  384
> 
> +#define WIN_CERT_UEFI_RSA4096_SIZE  512
> 
> 
> 
>  //
> 
>  // Support hash types
> 
> @@ -98,6 +100,11 @@ extern  EFI_IFR_GUID_LABEL  *mEndLabel;
>  //
> 
>  #define CER_PUBKEY_MIN_SIZE  256
> 
> 
> 
> +//
> 
> +// Define KeyType for public key storing file
> 
> +//
> 
> +#define KEY_TYPE_RSASSA  0
> 
> +
> 
>  //
> 
>  // Types of errors may occur during certificate enrollment.
> 
>  //
> 
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr
> ings.uni
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr
> ings.uni
> index 0d01701de7..1b48acc800 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr
> ings.uni
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr
> ings.uni
> @@ -113,6 +113,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP    #language en-US
> "Read the public key of KEK from file"
> 
>  #string STR_FILE_EXPLORER_TITLE                   #language en-US "File Explorer"
> 
>  #string STR_CERT_TYPE_RSA2048_SHA256_GUID         #language en-US
> "RSA2048_SHA256_GUID"
> 
> +#string STR_CERT_TYPE_RSA3072_SHA384_GUID         #language en-US
> "RSA3072_SHA384_GUID"
> 
> +#string STR_CERT_TYPE_RSA4096_SHA512_GUID         #language en-US
> "RSA4096_SHA512_GUID"
> 
>  #string STR_CERT_TYPE_PCKS7_GUID                  #language en-US "PKCS7_GUID"
> 
>  #string STR_CERT_TYPE_SHA1_GUID                   #language en-US "SHA1_GUID"
> 
>  #string STR_CERT_TYPE_SHA256_GUID                 #language en-US
> "SHA256_GUID"
> 
> @@ -121,9 +123,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #string STR_CERT_TYPE_X509_SHA512_GUID            #language en-US
> "X509_SHA512_GUID"
> 
> 
> 
>  #string STR_LIST_TYPE_RSA2048_SHA256              #language en-US
> "RSA2048_SHA256"
> 
> +#string STR_LIST_TYPE_RSA3072_SHA384              #language en-US
> "RSA3072_SHA384"
> 
> +#string STR_LIST_TYPE_RSA4096_SHA512              #language en-US
> "RSA4096_SHA512"
> 
>  #string STR_LIST_TYPE_X509                        #language en-US "X509"
> 
>  #string STR_LIST_TYPE_SHA1                        #language en-US "SHA1"
> 
>  #string STR_LIST_TYPE_SHA256                      #language en-US "SHA256"
> 
> +#string STR_LIST_TYPE_SHA384                      #language en-US "SHA384"
> 
> +#string STR_LIST_TYPE_SHA512                      #language en-US "SHA512"
> 
>  #string STR_LIST_TYPE_X509_SHA256                 #language en-US "X509_SHA256"
> 
>  #string STR_LIST_TYPE_X509_SHA384                 #language en-US "X509_SHA384"
> 
>  #string STR_LIST_TYPE_X509_SHA512                 #language en-US "X509_SHA512"
> 
> --
> 2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107309): https://edk2.groups.io/g/devel/message/107309
Mute This Topic: https://groups.io/mt/100385944/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
       [not found] ` <1775A5F91CFEF78E.27447@groups.io>
@ 2023-07-28  4:32   ` Sheng Wei
  2023-07-31  2:01     ` Sheng Wei
  0 siblings, 1 reply; 17+ messages in thread
From: Sheng Wei @ 2023-07-28  4:32 UTC (permalink / raw)
  To: devel@edk2.groups.io, Sheng, W, Kinney, Michael D
  Cc: Yao, Jiewen, Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona,
	Lu, Xiaoyu1, Jiang, Guomin, Gao, Liming

Hi Michael D,
Could you help to review and merge this patch to MdePkg?
This patch is only to add 2 new GUIDs.
These 2 GUIDs will be used for adding RSA3072/RSA4096 cert support for secure boot feature.
Thank you.
BR
Sheng Wei

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sheng
> Wei
> Sent: 2023年7月27日 14:35
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>; Gao, Liming
> <gaoliming@byosoft.com.cn>
> Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> CERT_RSA3072 and CERT_RSA4096
> 
> Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Zeyi Chen <zeyi.chen@intel.com>
> Cc: Fiona Wang <fiona.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Signed-off-by: Sheng Wei <w.sheng@intel.com>
> ---
>  MdePkg/Include/Guid/ImageAuthentication.h | 26
> +++++++++++++++++++++++
>  MdePkg/MdePkg.dec                         |  2 ++
>  2 files changed, 28 insertions(+)
> 
> diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> b/MdePkg/Include/Guid/ImageAuthentication.h
> index fe83596571..c8ea2c14fb 100644
> --- a/MdePkg/Include/Guid/ImageAuthentication.h
> +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> @@ -144,6 +144,30 @@ typedef struct {
>      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3,
> 0xb6} \   } +///+/// This identifies a signature containing an RSA-3072 key. The
> key (only the modulus+/// since the public key exponent is known to be
> 0x10001) shall be stored in big-endian+/// order.+/// The SignatureHeader
> size shall always be 0. The SignatureSize shall always be 16 (size+/// of
> SignatureOwner component) + 384 bytes.+///+#define
> EFI_CERT_RSA3072_GUID \+  { \+    0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46,
> 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+  }++///+/// This identifies a signature
> containing an RSA-4096 key. The key (only the modulus+/// since the public
> key exponent is known to be 0x10001) shall be stored in big-endian+///
> order.+/// The SignatureHeader size shall always be 0. The SignatureSize shall
> always be 16 (size+/// of SignatureOwner component) + 512
> bytes.+///+#define EFI_CERT_RSA4096_GUID \+  { \+    0xb23e89a6, 0x8c8b,
> 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+  }+ /// /// This
> identifies a signature containing a RSA-2048 signature of a SHA-256 hash.  The
> /// SignatureHeader size shall always be 0. The SignatureSize shall always be
> 16 (size of@@ -330,6 +354,8 @@ typedef struct {
>  extern EFI_GUID  gEfiImageSecurityDatabaseGuid; extern EFI_GUID
> gEfiCertSha256Guid; extern EFI_GUID  gEfiCertRsa2048Guid;+extern
> EFI_GUID  gEfiCertRsa3072Guid;+extern EFI_GUID  gEfiCertRsa4096Guid;
> extern EFI_GUID  gEfiCertRsa2048Sha256Guid; extern EFI_GUID
> gEfiCertSha1Guid; extern EFI_GUID  gEfiCertRsa2048Sha1Guid;diff --git
> a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index
> b85614992b..24e4779d33 100644
> --- a/MdePkg/MdePkg.dec
> +++ b/MdePkg/MdePkg.dec
> @@ -581,6 +581,8 @@
>    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3,
> 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}   gEfiCertSha256Guid             =
> { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}
> gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed,
> 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+  gEfiCertRsa3072Guid            = { 0xedd320c2,
> 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15,
> 0x4e, 0x8d, 0x00, 0x98, 0x2c }}   gEfiCertRsa2048Sha256Guid      = { 0xe2b36190,
> 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe,
> 0x1, 0x49, 0x66, 0x31, 0xbd }}   gEfiCertRsa2048Sha1Guid        = { 0x67f8444f,
> 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}--
> 2.26.2.windows.1
> 
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#107294):
> https://edk2.groups.io/g/devel/message/107294
> Mute This Topic: https://groups.io/mt/100385942/2558558
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [w.sheng@intel.com] -
> =-=-=-=-=-=
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107313): https://edk2.groups.io/g/devel/message/107313
Mute This Topic: https://groups.io/mt/100405114/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  2023-07-28  4:32   ` [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 Sheng Wei
@ 2023-07-31  2:01     ` Sheng Wei
  2023-08-02  2:58       ` 回复: " gaoliming via groups.io
  2023-08-02  8:03       ` Sheng Wei
  0 siblings, 2 replies; 17+ messages in thread
From: Sheng Wei @ 2023-07-31  2:01 UTC (permalink / raw)
  To: devel@edk2.groups.io, Gao, Liming
  Cc: Yao, Jiewen, Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona,
	Lu, Xiaoyu1, Jiang, Guomin, Kinney, Michael D

[-- Attachment #1: Type: text/plain, Size: 5505 bytes --]

Hi Gao, Liming,
Could you help to review and merge this patch to MdePkg?
This patch is only to add 2 new GUIDs.
These 2 GUIDs will be used for adding RSA3072/RSA4096 cert support for secure boot feature.
Thank you.
BR
Sheng Wei

> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sheng
> > Wei
> > Sent: 2023年7月27日 14:35
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> > <gaoliming@byosoft.com.cn>
> > Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > CERT_RSA3072 and CERT_RSA4096
> >
> > Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Min Xu <min.m.xu@intel.com>
> > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > Cc: Fiona Wang <fiona.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > ---
> >  MdePkg/Include/Guid/ImageAuthentication.h | 26
> > +++++++++++++++++++++++
> >  MdePkg/MdePkg.dec                         |  2 ++
> >  2 files changed, 28 insertions(+)
> >
> > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > b/MdePkg/Include/Guid/ImageAuthentication.h
> > index fe83596571..c8ea2c14fb 100644
> > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > @@ -144,6 +144,30 @@ typedef struct {
> >      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3,
> > 0xb6} \   } +///+/// This identifies a signature containing an RSA-3072 key.
> The
> > key (only the modulus+/// since the public key exponent is known to be
> > 0x10001) shall be stored in big-endian+/// order.+/// The
> > SignatureHeader size shall always be 0. The SignatureSize shall always
> > be 16 (size+/// of SignatureOwner component) + 384 bytes.+///+#define
> > EFI_CERT_RSA3072_GUID \+  { \+    0xedd320c2, 0xb057, 0x4b8e, {0xad,
> 0x46,
> > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+  }++///+/// This identifies a
> > signature containing an RSA-4096 key. The key (only the modulus+///
> > since the public key exponent is known to be 0x10001) shall be stored
> > in big-endian+/// order.+/// The SignatureHeader size shall always be
> > 0. The SignatureSize shall always be 16 (size+/// of SignatureOwner
> component) + 512
> > bytes.+///+#define EFI_CERT_RSA4096_GUID \+  { \+    0xb23e89a6, 0x8c8b,
> > 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+  }+ ///
> > /// This identifies a signature containing a RSA-2048 signature of a
> > SHA-256 hash.  The /// SignatureHeader size shall always be 0. The
> > SignatureSize shall always be
> > 16 (size of@@ -330,6 +354,8 @@ typedef struct {  extern EFI_GUID
> > gEfiImageSecurityDatabaseGuid; extern EFI_GUID gEfiCertSha256Guid;
> > extern EFI_GUID  gEfiCertRsa2048Guid;+extern EFI_GUID
> > gEfiCertRsa3072Guid;+extern EFI_GUID  gEfiCertRsa4096Guid; extern
> > EFI_GUID  gEfiCertRsa2048Sha256Guid; extern EFI_GUID gEfiCertSha1Guid;
> > extern EFI_GUID  gEfiCertRsa2048Sha1Guid;diff --git
> > a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index
> > b85614992b..24e4779d33 100644
> > --- a/MdePkg/MdePkg.dec
> > +++ b/MdePkg/MdePkg.dec
> > @@ -581,6 +581,8 @@
> >    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3,
> > 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}   gEfiCertSha256Guid             =
> > { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43,
> 0x28 }}
> > gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14,
> 0xed,
> > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+  gEfiCertRsa3072Guid            = { 0xedd320c2,
> > 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> > gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73,
> 0x15,
> > 0x4e, 0x8d, 0x00, 0x98, 0x2c }}   gEfiCertRsa2048Sha256Guid      =
> { 0xe2b36190,
> > 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe,
> > 0x1, 0x49, 0x66, 0x31, 0xbd }}   gEfiCertRsa2048Sha1Guid        = { 0x67f8444f,
> > 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}--
> > 2.26.2.windows.1
> >
> >
> >
> > -=-=-=-=-=-=
> > Groups.io Links: You receive all messages sent to this group.
> > View/Reply Online (#107294):
> > https://edk2.groups.io/g/devel/message/107294
> > Mute This Topic: https://groups.io/mt/100385942/2558558
> > Group Owner: devel+owner@edk2.groups.io
> > Unsubscribe: https://edk2.groups.io/g/devel/unsub [w.sheng@intel.com]
> > - =-=-=-=-=-=
> >



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107389): https://edk2.groups.io/g/devel/message/107389
Mute This Topic: https://groups.io/mt/100405114/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: 0001-MdePkg-Include-Add-GUID-for-CERT_RSA3072-and-CERT_RS.patch --]
[-- Type: application/octet-stream, Size: 3849 bytes --]

From fbf2372257907a7756f05279ecae01b3554aede2 Mon Sep 17 00:00:00 2001
From: Sheng Wei <w.sheng@intel.com>
Date: Tue, 25 Jul 2023 17:01:09 +0800
Subject: [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and
 CERT_RSA4096

Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Sheng Wei <w.sheng@intel.com>
---
 MdePkg/Include/Guid/ImageAuthentication.h | 26 +++++++++++++++++++++++
 MdePkg/MdePkg.dec                         |  2 ++
 2 files changed, 28 insertions(+)

diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h
index fe83596571..c8ea2c14fb 100644
--- a/MdePkg/Include/Guid/ImageAuthentication.h
+++ b/MdePkg/Include/Guid/ImageAuthentication.h
@@ -144,6 +144,30 @@ typedef struct {
     0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
   }
 
+///
+/// This identifies a signature containing an RSA-3072 key. The key (only the modulus
+/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
+/// order.
+/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
+/// of SignatureOwner component) + 384 bytes.
+///
+#define EFI_CERT_RSA3072_GUID \
+  { \
+    0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \
+  }
+
+///
+/// This identifies a signature containing an RSA-4096 key. The key (only the modulus
+/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
+/// order.
+/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
+/// of SignatureOwner component) + 512 bytes.
+///
+#define EFI_CERT_RSA4096_GUID \
+  { \
+    0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \
+  }
+
 ///
 /// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash.  The
 /// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of
@@ -330,6 +354,8 @@ typedef struct {
 extern EFI_GUID  gEfiImageSecurityDatabaseGuid;
 extern EFI_GUID  gEfiCertSha256Guid;
 extern EFI_GUID  gEfiCertRsa2048Guid;
+extern EFI_GUID  gEfiCertRsa3072Guid;
+extern EFI_GUID  gEfiCertRsa4096Guid;
 extern EFI_GUID  gEfiCertRsa2048Sha256Guid;
 extern EFI_GUID  gEfiCertSha1Guid;
 extern EFI_GUID  gEfiCertRsa2048Sha1Guid;
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index b85614992b..24e4779d33 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -581,6 +581,8 @@
   gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}
   gEfiCertSha256Guid             = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}
   gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}
+  gEfiCertRsa3072Guid            = { 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}
+  gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }}
   gEfiCertRsa2048Sha256Guid      = { 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
   gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe,  0x1, 0x49, 0x66, 0x31, 0xbd }}
   gEfiCertRsa2048Sha1Guid        = { 0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}
-- 
2.26.2.windows.1


^ permalink raw reply related	[flat|nested] 17+ messages in thread

* 回复: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  2023-07-31  2:01     ` Sheng Wei
@ 2023-08-02  2:58       ` gaoliming via groups.io
  2023-08-02  8:03       ` Sheng Wei
  1 sibling, 0 replies; 17+ messages in thread
From: gaoliming via groups.io @ 2023-08-02  2:58 UTC (permalink / raw)
  To: 'Sheng, W', devel
  Cc: 'Yao, Jiewen', 'Wang, Jian J',
	'Xu, Min M', 'Chen, Zeyi', 'Wang, Fiona',
	'Lu, Xiaoyu1', 'Jiang, Guomin',
	'Kinney, Michael D'

Wei:
  I don't see these two new GUID are in the public UEFI spec. Are they
published now?

Thanks
Liming
> -----邮件原件-----
> 发件人: Sheng, W <w.sheng@intel.com>
> 发送时间: 2023年7月31日 10:02
> 收件人: devel@edk2.groups.io; Gao, Liming <gaoliming@byosoft.com.cn>
> 抄送: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>
> 主题: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> CERT_RSA3072 and CERT_RSA4096
> 
> Hi Gao, Liming,
> Could you help to review and merge this patch to MdePkg?
> This patch is only to add 2 new GUIDs.
> These 2 GUIDs will be used for adding RSA3072/RSA4096 cert support for
> secure boot feature.
> Thank you.
> BR
> Sheng Wei
> 
> > > -----Original Message-----
> > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sheng
> > > Wei
> > > Sent: 2023年7月27日 14:35
> > > To: devel@edk2.groups.io
> > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> Xiaoyu1
> > > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > > Kinney, Michael D <michael.d.kinney@intel.com>; Gao, Liming
> > > <gaoliming@byosoft.com.cn>
> > > Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > > CERT_RSA3072 and CERT_RSA4096
> > >
> > > Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Min Xu <min.m.xu@intel.com>
> > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > > ---
> > >  MdePkg/Include/Guid/ImageAuthentication.h | 26
> > > +++++++++++++++++++++++
> > >  MdePkg/MdePkg.dec                         |  2 ++
> > >  2 files changed, 28 insertions(+)
> > >
> > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > > b/MdePkg/Include/Guid/ImageAuthentication.h
> > > index fe83596571..c8ea2c14fb 100644
> > > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > > @@ -144,6 +144,30 @@ typedef struct {
> > >      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85,
> 0xb3,
> > > 0xb6} \   } +///+/// This identifies a signature containing an
RSA-3072
> key.
> > The
> > > key (only the modulus+/// since the public key exponent is known to be
> > > 0x10001) shall be stored in big-endian+/// order.+/// The
> > > SignatureHeader size shall always be 0. The SignatureSize shall always
> > > be 16 (size+/// of SignatureOwner component) + 384 bytes.+///+#define
> > > EFI_CERT_RSA3072_GUID \+  { \+    0xedd320c2, 0xb057, 0x4b8e,
> {0xad,
> > 0x46,
> > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+  }++///+/// This identifies a
> > > signature containing an RSA-4096 key. The key (only the modulus+///
> > > since the public key exponent is known to be 0x10001) shall be stored
> > > in big-endian+/// order.+/// The SignatureHeader size shall always be
> > > 0. The SignatureSize shall always be 16 (size+/// of SignatureOwner
> > component) + 512
> > > bytes.+///+#define EFI_CERT_RSA4096_GUID \+  { \+    0xb23e89a6,
> 0x8c8b,
> > > 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+  }+ ///
> > > /// This identifies a signature containing a RSA-2048 signature of a
> > > SHA-256 hash.  The /// SignatureHeader size shall always be 0. The
> > > SignatureSize shall always be
> > > 16 (size of@@ -330,6 +354,8 @@ typedef struct {  extern EFI_GUID
> > > gEfiImageSecurityDatabaseGuid; extern EFI_GUID gEfiCertSha256Guid;
> > > extern EFI_GUID  gEfiCertRsa2048Guid;+extern EFI_GUID
> > > gEfiCertRsa3072Guid;+extern EFI_GUID  gEfiCertRsa4096Guid; extern
> > > EFI_GUID  gEfiCertRsa2048Sha256Guid; extern EFI_GUID
> gEfiCertSha1Guid;
> > > extern EFI_GUID  gEfiCertRsa2048Sha1Guid;diff --git
> > > a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index
> > > b85614992b..24e4779d33 100644
> > > --- a/MdePkg/MdePkg.dec
> > > +++ b/MdePkg/MdePkg.dec
> > > @@ -581,6 +581,8 @@
> > >    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596,
> {0xa3,
> > > 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}   gEfiCertSha256Guid
> =
> > > { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93,
0x43,
> > 0x28 }}
> > > gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34,
> {0xaa, 0x14,
> > 0xed,
> > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+  gEfiCertRsa3072Guid            =
> { 0xedd320c2,
> > > 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> > > gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412,
> {0x85, 0x73,
> > 0x15,
> > > 0x4e, 0x8d, 0x00, 0x98, 0x2c }}   gEfiCertRsa2048Sha256Guid      =
> > { 0xe2b36190,
> > > 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > > gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1,
> 0x87, 0xbe,
> > > 0x1, 0x49, 0x66, 0x31, 0xbd }}   gEfiCertRsa2048Sha1Guid        =
> { 0x67f8444f,
> > > 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}--
> > > 2.26.2.windows.1
> > >
> > >
> > >
> > > -=-=-=-=-=-=
> > > Groups.io Links: You receive all messages sent to this group.
> > > View/Reply Online (#107294):
> > > https://edk2.groups.io/g/devel/message/107294
> > > Mute This Topic: https://groups.io/mt/100385942/2558558
> > > Group Owner: devel+owner@edk2.groups.io
> > > Unsubscribe: https://edk2.groups.io/g/devel/unsub [w.sheng@intel.com]
> > > - =-=-=-=-=-=
> > >





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107438): https://edk2.groups.io/g/devel/message/107438
Mute This Topic: https://groups.io/mt/100498532/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  2023-07-31  2:01     ` Sheng Wei
  2023-08-02  2:58       ` 回复: " gaoliming via groups.io
@ 2023-08-02  8:03       ` Sheng Wei
  2023-08-02  9:12         ` 回复: " gaoliming via groups.io
  1 sibling, 1 reply; 17+ messages in thread
From: Sheng Wei @ 2023-08-02  8:03 UTC (permalink / raw)
  To: devel@edk2.groups.io, Gao, Liming
  Cc: Yao, Jiewen, Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona,
	Lu, Xiaoyu1, Jiang, Guomin, Kinney, Michael D

[-- Attachment #1: Type: text/plain, Size: 6645 bytes --]

Hi Gao, Liming,
For this patch group, we have got review-by from Yao, Jiewen on patch 2/3(CryptoPkg) and patch 3/3(SecurityPkg).
Do you any comments on the patch 1/3 (MdePkg) ? 
Patch 1/3 is only to add 2 new GUIDs.
Could you help to merge it ?

Thank you.
BR
Sheng Wei

> -----Original Message-----
> From: Sheng, W
> Sent: 2023年7月31日 10:02
> To: 'devel@edk2.groups.io' <devel@edk2.groups.io>; Gao, Liming
> <gaoliming@byosoft.com.cn>
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> <Zeyi.Chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> <xiaoyu1.lu@intel.com>; Jiang, Guomin <Guomin.Jiang@intel.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>
> Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> CERT_RSA3072 and CERT_RSA4096
> 
> Hi Gao, Liming,
> Could you help to review and merge this patch to MdePkg?
> This patch is only to add 2 new GUIDs.
> These 2 GUIDs will be used for adding RSA3072/RSA4096 cert support for
> secure boot feature.
> Thank you.
> BR
> Sheng Wei
> 
> > > -----Original Message-----
> > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
> Sheng
> > > Wei
> > > Sent: 2023年7月27日 14:35
> > > To: devel@edk2.groups.io
> > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
> > > Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > > CERT_RSA3072 and CERT_RSA4096
> > >
> > > Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Min Xu <min.m.xu@intel.com>
> > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > > ---
> > >  MdePkg/Include/Guid/ImageAuthentication.h | 26
> > > +++++++++++++++++++++++
> > >  MdePkg/MdePkg.dec                         |  2 ++
> > >  2 files changed, 28 insertions(+)
> > >
> > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > > b/MdePkg/Include/Guid/ImageAuthentication.h
> > > index fe83596571..c8ea2c14fb 100644
> > > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > > @@ -144,6 +144,30 @@ typedef struct {
> > >      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3,
> > > 0xb6} \   } +///+/// This identifies a signature containing an RSA-3072 key.
> > The
> > > key (only the modulus+/// since the public key exponent is known to
> > > be
> > > 0x10001) shall be stored in big-endian+/// order.+/// The
> > > SignatureHeader size shall always be 0. The SignatureSize shall
> > > always be 16 (size+/// of SignatureOwner component) + 384
> bytes.+///+#define
> > > EFI_CERT_RSA3072_GUID \+  { \+    0xedd320c2, 0xb057, 0x4b8e, {0xad,
> > 0x46,
> > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+  }++///+/// This identifies
> > > a signature containing an RSA-4096 key. The key (only the
> > > modulus+/// since the public key exponent is known to be 0x10001)
> > > shall be stored in big-endian+/// order.+/// The SignatureHeader
> > > size shall always be 0. The SignatureSize shall always be 16
> > > (size+/// of SignatureOwner
> > component) + 512
> > > bytes.+///+#define EFI_CERT_RSA4096_GUID \+  { \+    0xb23e89a6,
> 0x8c8b,
> > > 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+  }+ ///
> > > /// This identifies a signature containing a RSA-2048 signature of a
> > > SHA-256 hash.  The /// SignatureHeader size shall always be 0. The
> > > SignatureSize shall always be
> > > 16 (size of@@ -330,6 +354,8 @@ typedef struct {  extern EFI_GUID
> > > gEfiImageSecurityDatabaseGuid; extern EFI_GUID gEfiCertSha256Guid;
> > > extern EFI_GUID  gEfiCertRsa2048Guid;+extern EFI_GUID
> > > gEfiCertRsa3072Guid;+extern EFI_GUID  gEfiCertRsa4096Guid; extern
> > > EFI_GUID  gEfiCertRsa2048Sha256Guid; extern EFI_GUID
> > > gEfiCertSha1Guid; extern EFI_GUID  gEfiCertRsa2048Sha1Guid;diff
> > > --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index
> > > b85614992b..24e4779d33 100644
> > > --- a/MdePkg/MdePkg.dec
> > > +++ b/MdePkg/MdePkg.dec
> > > @@ -581,6 +581,8 @@
> > >    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3,
> > > 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}   gEfiCertSha256Guid             =
> > > { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93,
> > > 0x43,
> > 0x28 }}
> > > gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14,
> > 0xed,
> > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+  gEfiCertRsa3072Guid            =
> { 0xedd320c2,
> > > 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> > > gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73,
> > 0x15,
> > > 0x4e, 0x8d, 0x00, 0x98, 0x2c }}   gEfiCertRsa2048Sha256Guid      =
> > { 0xe2b36190,
> > > 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > > gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe,
> > > 0x1, 0x49, 0x66, 0x31, 0xbd }}   gEfiCertRsa2048Sha1Guid        =
> { 0x67f8444f,
> > > 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}--
> > > 2.26.2.windows.1
> > >
> > >
> > >
> > > -=-=-=-=-=-=
> > > Groups.io Links: You receive all messages sent to this group.
> > > View/Reply Online (#107294):
> > > https://edk2.groups.io/g/devel/message/107294
> > > Mute This Topic: https://groups.io/mt/100385942/2558558
> > > Group Owner: devel+owner@edk2.groups.io
> > > Unsubscribe: https://edk2.groups.io/g/devel/unsub
> > > [w.sheng@intel.com]
> > > - =-=-=-=-=-=
> > >



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107452): https://edk2.groups.io/g/devel/message/107452
Mute This Topic: https://groups.io/mt/100405114/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: 0001-MdePkg-Include-Add-GUID-for-CERT_RSA3072-and-CERT_RS.patch --]
[-- Type: application/octet-stream, Size: 3849 bytes --]

From fbf2372257907a7756f05279ecae01b3554aede2 Mon Sep 17 00:00:00 2001
From: Sheng Wei <w.sheng@intel.com>
Date: Tue, 25 Jul 2023 17:01:09 +0800
Subject: [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and
 CERT_RSA4096

Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Zeyi Chen <zeyi.chen@intel.com>
Cc: Fiona Wang <fiona.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Sheng Wei <w.sheng@intel.com>
---
 MdePkg/Include/Guid/ImageAuthentication.h | 26 +++++++++++++++++++++++
 MdePkg/MdePkg.dec                         |  2 ++
 2 files changed, 28 insertions(+)

diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h
index fe83596571..c8ea2c14fb 100644
--- a/MdePkg/Include/Guid/ImageAuthentication.h
+++ b/MdePkg/Include/Guid/ImageAuthentication.h
@@ -144,6 +144,30 @@ typedef struct {
     0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
   }
 
+///
+/// This identifies a signature containing an RSA-3072 key. The key (only the modulus
+/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
+/// order.
+/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
+/// of SignatureOwner component) + 384 bytes.
+///
+#define EFI_CERT_RSA3072_GUID \
+  { \
+    0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \
+  }
+
+///
+/// This identifies a signature containing an RSA-4096 key. The key (only the modulus
+/// since the public key exponent is known to be 0x10001) shall be stored in big-endian
+/// order.
+/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size
+/// of SignatureOwner component) + 512 bytes.
+///
+#define EFI_CERT_RSA4096_GUID \
+  { \
+    0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \
+  }
+
 ///
 /// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash.  The
 /// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of
@@ -330,6 +354,8 @@ typedef struct {
 extern EFI_GUID  gEfiImageSecurityDatabaseGuid;
 extern EFI_GUID  gEfiCertSha256Guid;
 extern EFI_GUID  gEfiCertRsa2048Guid;
+extern EFI_GUID  gEfiCertRsa3072Guid;
+extern EFI_GUID  gEfiCertRsa4096Guid;
 extern EFI_GUID  gEfiCertRsa2048Sha256Guid;
 extern EFI_GUID  gEfiCertSha1Guid;
 extern EFI_GUID  gEfiCertRsa2048Sha1Guid;
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index b85614992b..24e4779d33 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -581,6 +581,8 @@
   gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}
   gEfiCertSha256Guid             = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }}
   gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}
+  gEfiCertRsa3072Guid            = { 0xedd320c2, 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}
+  gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c }}
   gEfiCertRsa2048Sha256Guid      = { 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
   gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe,  0x1, 0x49, 0x66, 0x31, 0xbd }}
   gEfiCertRsa2048Sha1Guid        = { 0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}
-- 
2.26.2.windows.1


^ permalink raw reply related	[flat|nested] 17+ messages in thread

* 回复: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  2023-08-02  8:03       ` Sheng Wei
@ 2023-08-02  9:12         ` gaoliming via groups.io
  2023-08-03  7:29           ` Sheng Wei
  0 siblings, 1 reply; 17+ messages in thread
From: gaoliming via groups.io @ 2023-08-02  9:12 UTC (permalink / raw)
  To: 'Sheng, W', devel
  Cc: 'Yao, Jiewen', 'Wang, Jian J',
	'Xu, Min M', 'Chen, Zeyi', 'Wang, Fiona',
	'Lu, Xiaoyu1', 'Jiang, Guomin',
	'Kinney, Michael D'

Sheng Wei:
  I gave my comments for the patch 1/3 on this morning. Have you got my
response? 

  I just want to confirm whether these two new GUID are in the public UEFI
spec or not.

Thanks
Liming
> -----邮件原件-----
> 发件人: Sheng, W <w.sheng@intel.com>
> 发送时间: 2023年8月2日 16:04
> 收件人: devel@edk2.groups.io; Gao, Liming <gaoliming@byosoft.com.cn>
> 抄送: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>
> 主题: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> CERT_RSA3072 and CERT_RSA4096
> 
> Hi Gao, Liming,
> For this patch group, we have got review-by from Yao, Jiewen on patch
> 2/3(CryptoPkg) and patch 3/3(SecurityPkg).
> Do you any comments on the patch 1/3 (MdePkg) ?
> Patch 1/3 is only to add 2 new GUIDs.
> Could you help to merge it ?
> 
> Thank you.
> BR
> Sheng Wei
> 
> > -----Original Message-----
> > From: Sheng, W
> > Sent: 2023年7月31日 10:02
> > To: 'devel@edk2.groups.io' <devel@edk2.groups.io>; Gao, Liming
> > <gaoliming@byosoft.com.cn>
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <Zeyi.Chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <Guomin.Jiang@intel.com>; Kinney,
> > Michael D <michael.d.kinney@intel.com>
> > Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > CERT_RSA3072 and CERT_RSA4096
> >
> > Hi Gao, Liming,
> > Could you help to review and merge this patch to MdePkg?
> > This patch is only to add 2 new GUIDs.
> > These 2 GUIDs will be used for adding RSA3072/RSA4096 cert support for
> > secure boot feature.
> > Thank you.
> > BR
> > Sheng Wei
> >
> > > > -----Original Message-----
> > > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
> > Sheng
> > > > Wei
> > > > Sent: 2023年7月27日 14:35
> > > > To: devel@edk2.groups.io
> > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> > > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > > <michael.d.kinney@intel.com>; Gao, Liming
> <gaoliming@byosoft.com.cn>
> > > > Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > > > CERT_RSA3072 and CERT_RSA4096
> > > >
> > > > Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> > > >
> > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > Cc: Min Xu <min.m.xu@intel.com>
> > > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > > > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > > > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > > > ---
> > > >  MdePkg/Include/Guid/ImageAuthentication.h | 26
> > > > +++++++++++++++++++++++
> > > >  MdePkg/MdePkg.dec                         |  2 ++
> > > >  2 files changed, 28 insertions(+)
> > > >
> > > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > index fe83596571..c8ea2c14fb 100644
> > > > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > @@ -144,6 +144,30 @@ typedef struct {
> > > >      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e,
0x85,
> 0xb3,
> > > > 0xb6} \   } +///+/// This identifies a signature containing an
RSA-3072
> key.
> > > The
> > > > key (only the modulus+/// since the public key exponent is known to
> > > > be
> > > > 0x10001) shall be stored in big-endian+/// order.+/// The
> > > > SignatureHeader size shall always be 0. The SignatureSize shall
> > > > always be 16 (size+/// of SignatureOwner component) + 384
> > bytes.+///+#define
> > > > EFI_CERT_RSA3072_GUID \+  { \+    0xedd320c2, 0xb057, 0x4b8e,
> {0xad,
> > > 0x46,
> > > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+  }++///+/// This identifies
> > > > a signature containing an RSA-4096 key. The key (only the
> > > > modulus+/// since the public key exponent is known to be 0x10001)
> > > > shall be stored in big-endian+/// order.+/// The SignatureHeader
> > > > size shall always be 0. The SignatureSize shall always be 16
> > > > (size+/// of SignatureOwner
> > > component) + 512
> > > > bytes.+///+#define EFI_CERT_RSA4096_GUID \+  { \+
> 0xb23e89a6,
> > 0x8c8b,
> > > > 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+  }+ ///
> > > > /// This identifies a signature containing a RSA-2048 signature of a
> > > > SHA-256 hash.  The /// SignatureHeader size shall always be 0. The
> > > > SignatureSize shall always be
> > > > 16 (size of@@ -330,6 +354,8 @@ typedef struct {  extern EFI_GUID
> > > > gEfiImageSecurityDatabaseGuid; extern EFI_GUID gEfiCertSha256Guid;
> > > > extern EFI_GUID  gEfiCertRsa2048Guid;+extern EFI_GUID
> > > > gEfiCertRsa3072Guid;+extern EFI_GUID  gEfiCertRsa4096Guid; extern
> > > > EFI_GUID  gEfiCertRsa2048Sha256Guid; extern EFI_GUID
> > > > gEfiCertSha1Guid; extern EFI_GUID  gEfiCertRsa2048Sha1Guid;diff
> > > > --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index
> > > > b85614992b..24e4779d33 100644
> > > > --- a/MdePkg/MdePkg.dec
> > > > +++ b/MdePkg/MdePkg.dec
> > > > @@ -581,6 +581,8 @@
> > > >    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a, 0x4596,
> {0xa3,
> > > > 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}   gEfiCertSha256Guid
> =
> > > > { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93,
> > > > 0x43,
> > > 0x28 }}
> > > > gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34,
> {0xaa, 0x14,
> > > 0xed,
> > > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+  gEfiCertRsa3072Guid            =
> > { 0xedd320c2,
> > > > 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> > > > gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412,
> {0x85, 0x73,
> > > 0x15,
> > > > 0x4e, 0x8d, 0x00, 0x98, 0x2c }}   gEfiCertRsa2048Sha256Guid      =
> > > { 0xe2b36190,
> > > > 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > > > gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9,
> {0xb1, 0x87, 0xbe,
> > > > 0x1, 0x49, 0x66, 0x31, 0xbd }}   gEfiCertRsa2048Sha1Guid        =
> > { 0x67f8444f,
> > > > 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }}--
> > > > 2.26.2.windows.1
> > > >
> > > >
> > > >
> > > > -=-=-=-=-=-=
> > > > Groups.io Links: You receive all messages sent to this group.
> > > > View/Reply Online (#107294):
> > > > https://edk2.groups.io/g/devel/message/107294
> > > > Mute This Topic: https://groups.io/mt/100385942/2558558
> > > > Group Owner: devel+owner@edk2.groups.io
> > > > Unsubscribe: https://edk2.groups.io/g/devel/unsub
> > > > [w.sheng@intel.com]
> > > > - =-=-=-=-=-=
> > > >





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107455): https://edk2.groups.io/g/devel/message/107455
Mute This Topic: https://groups.io/mt/100501594/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  2023-08-02  9:12         ` 回复: " gaoliming via groups.io
@ 2023-08-03  7:29           ` Sheng Wei
  2023-08-03  8:12             ` Yao, Jiewen
  0 siblings, 1 reply; 17+ messages in thread
From: Sheng Wei @ 2023-08-03  7:29 UTC (permalink / raw)
  To: Gao, Liming, devel@edk2.groups.io
  Cc: Yao, Jiewen, Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona,
	Lu, Xiaoyu1, Jiang, Guomin, Kinney, Michael D

Hi Liming,
Sorry for the late response.
The two new GUID are not in the public UEFI spec yet.
Do we have any process to add these 2 new GUIDs ?
Thank you.
BR
Sheng Wei



> -----Original Message-----
> From: gaoliming <gaoliming@byosoft.com.cn>
> Sent: 2023年8月2日 17:12
> To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>
> Subject: 回复: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> CERT_RSA3072 and CERT_RSA4096
> 
> Sheng Wei:
>   I gave my comments for the patch 1/3 on this morning. Have you got my
> response?
> 
>   I just want to confirm whether these two new GUID are in the public UEFI
> spec or not.
> 
> Thanks
> Liming
> > -----邮件原件-----
> > 发件人: Sheng, W <w.sheng@intel.com>
> > 发送时间: 2023年8月2日 16:04
> > 收件人: devel@edk2.groups.io; Gao, Liming <gaoliming@byosoft.com.cn>
> > 抄送: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > Kinney, Michael D <michael.d.kinney@intel.com>
> > 主题: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > CERT_RSA3072 and CERT_RSA4096
> >
> > Hi Gao, Liming,
> > For this patch group, we have got review-by from Yao, Jiewen on patch
> > 2/3(CryptoPkg) and patch 3/3(SecurityPkg).
> > Do you any comments on the patch 1/3 (MdePkg) ?
> > Patch 1/3 is only to add 2 new GUIDs.
> > Could you help to merge it ?
> >
> > Thank you.
> > BR
> > Sheng Wei
> >
> > > -----Original Message-----
> > > From: Sheng, W
> > > Sent: 2023年7月31日 10:02
> > > To: 'devel@edk2.groups.io' <devel@edk2.groups.io>; Gao, Liming
> > > <gaoliming@byosoft.com.cn>
> > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > <Zeyi.Chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > <Guomin.Jiang@intel.com>; Kinney, Michael D
> > > <michael.d.kinney@intel.com>
> > > Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID
> > > for
> > > CERT_RSA3072 and CERT_RSA4096
> > >
> > > Hi Gao, Liming,
> > > Could you help to review and merge this patch to MdePkg?
> > > This patch is only to add 2 new GUIDs.
> > > These 2 GUIDs will be used for adding RSA3072/RSA4096 cert support
> > > for secure boot feature.
> > > Thank you.
> > > BR
> > > Sheng Wei
> > >
> > > > > -----Original Message-----
> > > > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
> > > Sheng
> > > > > Wei
> > > > > Sent: 2023年7月27日 14:35
> > > > > To: devel@edk2.groups.io
> > > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen,
> > > > > Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> > > > > Lu,
> > > > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > > > <michael.d.kinney@intel.com>; Gao, Liming
> > <gaoliming@byosoft.com.cn>
> > > > > Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID
> > > > > for
> > > > > CERT_RSA3072 and CERT_RSA4096
> > > > >
> > > > > Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> > > > >
> > > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > > Cc: Min Xu <min.m.xu@intel.com>
> > > > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > > > > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > > > > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > > > > ---
> > > > >  MdePkg/Include/Guid/ImageAuthentication.h | 26
> > > > > +++++++++++++++++++++++
> > > > >  MdePkg/MdePkg.dec                         |  2 ++
> > > > >  2 files changed, 28 insertions(+)
> > > > >
> > > > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > index fe83596571..c8ea2c14fb 100644
> > > > > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > @@ -144,6 +144,30 @@ typedef struct {
> > > > >      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e,
> 0x85,
> > 0xb3,
> > > > > 0xb6} \   } +///+/// This identifies a signature containing an
> RSA-3072
> > key.
> > > > The
> > > > > key (only the modulus+/// since the public key exponent is known
> > > > > to be
> > > > > 0x10001) shall be stored in big-endian+/// order.+/// The
> > > > > SignatureHeader size shall always be 0. The SignatureSize shall
> > > > > always be 16 (size+/// of SignatureOwner component) + 384
> > > bytes.+///+#define
> > > > > EFI_CERT_RSA3072_GUID \+  { \+    0xedd320c2, 0xb057, 0x4b8e,
> > {0xad,
> > > > 0x46,
> > > > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+  }++///+/// This
> > > > > identifies a signature containing an RSA-4096 key. The key (only
> > > > > the
> > > > > modulus+/// since the public key exponent is known to be
> > > > > modulus+0x10001)
> > > > > shall be stored in big-endian+/// order.+/// The SignatureHeader
> > > > > size shall always be 0. The SignatureSize shall always be 16
> > > > > (size+/// of SignatureOwner
> > > > component) + 512
> > > > > bytes.+///+#define EFI_CERT_RSA4096_GUID \+  { \+
> > 0xb23e89a6,
> > > 0x8c8b,
> > > > > 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+  }+
> > > > > /// /// This identifies a signature containing a RSA-2048
> > > > > signature of a
> > > > > SHA-256 hash.  The /// SignatureHeader size shall always be 0.
> > > > > The SignatureSize shall always be
> > > > > 16 (size of@@ -330,6 +354,8 @@ typedef struct {  extern EFI_GUID
> > > > > gEfiImageSecurityDatabaseGuid; extern EFI_GUID
> > > > > gEfiCertSha256Guid; extern EFI_GUID  gEfiCertRsa2048Guid;+extern
> > > > > EFI_GUID gEfiCertRsa3072Guid;+extern EFI_GUID
> > > > > gEfiCertRsa4096Guid; extern EFI_GUID  gEfiCertRsa2048Sha256Guid;
> > > > > extern EFI_GUID gEfiCertSha1Guid; extern EFI_GUID
> > > > > gEfiCertRsa2048Sha1Guid;diff --git a/MdePkg/MdePkg.dec
> > > > > b/MdePkg/MdePkg.dec index
> > > > > b85614992b..24e4779d33 100644
> > > > > --- a/MdePkg/MdePkg.dec
> > > > > +++ b/MdePkg/MdePkg.dec
> > > > > @@ -581,6 +581,8 @@
> > > > >    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a,
> > > > > 0x4596,
> > {0xa3,
> > > > > 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}   gEfiCertSha256Guid
> > =
> > > > > { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36,
> > > > > 0x93, 0x43,
> > > > 0x28 }}
> > > > > gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34,
> > {0xaa, 0x14,
> > > > 0xed,
> > > > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+  gEfiCertRsa3072Guid            =
> > > { 0xedd320c2,
> > > > > 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> > > > > gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412,
> > {0x85, 0x73,
> > > > 0x15,
> > > > > 0x4e, 0x8d, 0x00, 0x98, 0x2c }}   gEfiCertRsa2048Sha256Guid      =
> > > > { 0xe2b36190,
> > > > > 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > > > > gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9,
> > {0xb1, 0x87, 0xbe,
> > > > > 0x1, 0x49, 0x66, 0x31, 0xbd }}   gEfiCertRsa2048Sha1Guid        =
> > > { 0x67f8444f,
> > > > > 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80
> > > > > }}--
> > > > > 2.26.2.windows.1
> > > > >
> > > > >
> > > > >
> > > > > -=-=-=-=-=-=
> > > > > Groups.io Links: You receive all messages sent to this group.
> > > > > View/Reply Online (#107294):
> > > > > https://edk2.groups.io/g/devel/message/107294
> > > > > Mute This Topic: https://groups.io/mt/100385942/2558558
> > > > > Group Owner: devel+owner@edk2.groups.io
> > > > > Unsubscribe: https://edk2.groups.io/g/devel/unsub
> > > > > [w.sheng@intel.com]
> > > > > - =-=-=-=-=-=
> > > > >
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107524): https://edk2.groups.io/g/devel/message/107524
Mute This Topic: https://groups.io/mt/100521910/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  2023-08-03  7:29           ` Sheng Wei
@ 2023-08-03  8:12             ` Yao, Jiewen
  2023-08-07  9:17               ` Sheng Wei
  0 siblings, 1 reply; 17+ messages in thread
From: Yao, Jiewen @ 2023-08-03  8:12 UTC (permalink / raw)
  To: Sheng, W, Gao, Liming, devel@edk2.groups.io
  Cc: Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona, Lu, Xiaoyu1,
	Jiang, Guomin, Kinney, Michael D

Hey
We cannot add anything not defined in UEFI spec yet. Thanks Liming to catch that.

Can you remove CERT_RSA3072 and CERT_RSA4096?

I think we need to use EFI_CERT_TYPE_PKCS7_GUID + EFI_CERT_X509_GUID to support RSA3072 and RSA4096.
Have you validated that configuration?


> -----Original Message-----
> From: Sheng, W <w.sheng@intel.com>
> Sent: Thursday, August 3, 2023 3:29 PM
> To: Gao, Liming <gaoliming@byosoft.com.cn>; devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi <zeyi.chen@intel.com>; Wang,
> Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang,
> Guomin <guomin.jiang@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>
> Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> CERT_RSA3072 and CERT_RSA4096
> 
> Hi Liming,
> Sorry for the late response.
> The two new GUID are not in the public UEFI spec yet.
> Do we have any process to add these 2 new GUIDs ?
> Thank you.
> BR
> Sheng Wei
> 
> 
> 
> > -----Original Message-----
> > From: gaoliming <gaoliming@byosoft.com.cn>
> > Sent: 2023年8月2日 17:12
> > To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Kinney,
> > Michael D <michael.d.kinney@intel.com>
> > Subject: 回复: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > CERT_RSA3072 and CERT_RSA4096
> >
> > Sheng Wei:
> >   I gave my comments for the patch 1/3 on this morning. Have you got my
> > response?
> >
> >   I just want to confirm whether these two new GUID are in the public UEFI
> > spec or not.
> >
> > Thanks
> > Liming
> > > -----邮件原件-----
> > > 发件人: Sheng, W <w.sheng@intel.com>
> > > 发送时间: 2023年8月2日 16:04
> > > 收件人: devel@edk2.groups.io; Gao, Liming <gaoliming@byosoft.com.cn>
> > > 抄送: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > > Kinney, Michael D <michael.d.kinney@intel.com>
> > > 主题: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > > CERT_RSA3072 and CERT_RSA4096
> > >
> > > Hi Gao, Liming,
> > > For this patch group, we have got review-by from Yao, Jiewen on patch
> > > 2/3(CryptoPkg) and patch 3/3(SecurityPkg).
> > > Do you any comments on the patch 1/3 (MdePkg) ?
> > > Patch 1/3 is only to add 2 new GUIDs.
> > > Could you help to merge it ?
> > >
> > > Thank you.
> > > BR
> > > Sheng Wei
> > >
> > > > -----Original Message-----
> > > > From: Sheng, W
> > > > Sent: 2023年7月31日 10:02
> > > > To: 'devel@edk2.groups.io' <devel@edk2.groups.io>; Gao, Liming
> > > > <gaoliming@byosoft.com.cn>
> > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > > <Zeyi.Chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> > > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > <Guomin.Jiang@intel.com>; Kinney, Michael D
> > > > <michael.d.kinney@intel.com>
> > > > Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID
> > > > for
> > > > CERT_RSA3072 and CERT_RSA4096
> > > >
> > > > Hi Gao, Liming,
> > > > Could you help to review and merge this patch to MdePkg?
> > > > This patch is only to add 2 new GUIDs.
> > > > These 2 GUIDs will be used for adding RSA3072/RSA4096 cert support
> > > > for secure boot feature.
> > > > Thank you.
> > > > BR
> > > > Sheng Wei
> > > >
> > > > > > -----Original Message-----
> > > > > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
> > > > Sheng
> > > > > > Wei
> > > > > > Sent: 2023年7月27日 14:35
> > > > > > To: devel@edk2.groups.io
> > > > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen,
> > > > > > Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> > > > > > Lu,
> > > > > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > > > > <michael.d.kinney@intel.com>; Gao, Liming
> > > <gaoliming@byosoft.com.cn>
> > > > > > Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID
> > > > > > for
> > > > > > CERT_RSA3072 and CERT_RSA4096
> > > > > >
> > > > > > Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> > > > > >
> > > > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > > > Cc: Min Xu <min.m.xu@intel.com>
> > > > > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > > > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > > > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > > > > > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > > > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > > > > > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > > > > > ---
> > > > > >  MdePkg/Include/Guid/ImageAuthentication.h | 26
> > > > > > +++++++++++++++++++++++
> > > > > >  MdePkg/MdePkg.dec                         |  2 ++
> > > > > >  2 files changed, 28 insertions(+)
> > > > > >
> > > > > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > index fe83596571..c8ea2c14fb 100644
> > > > > > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > @@ -144,6 +144,30 @@ typedef struct {
> > > > > >      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e,
> > 0x85,
> > > 0xb3,
> > > > > > 0xb6} \   } +///+/// This identifies a signature containing an
> > RSA-3072
> > > key.
> > > > > The
> > > > > > key (only the modulus+/// since the public key exponent is known
> > > > > > to be
> > > > > > 0x10001) shall be stored in big-endian+/// order.+/// The
> > > > > > SignatureHeader size shall always be 0. The SignatureSize shall
> > > > > > always be 16 (size+/// of SignatureOwner component) + 384
> > > > bytes.+///+#define
> > > > > > EFI_CERT_RSA3072_GUID \+  { \+    0xedd320c2, 0xb057, 0x4b8e,
> > > {0xad,
> > > > > 0x46,
> > > > > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+  }++///+/// This
> > > > > > identifies a signature containing an RSA-4096 key. The key (only
> > > > > > the
> > > > > > modulus+/// since the public key exponent is known to be
> > > > > > modulus+0x10001)
> > > > > > shall be stored in big-endian+/// order.+/// The SignatureHeader
> > > > > > size shall always be 0. The SignatureSize shall always be 16
> > > > > > (size+/// of SignatureOwner
> > > > > component) + 512
> > > > > > bytes.+///+#define EFI_CERT_RSA4096_GUID \+  { \+
> > > 0xb23e89a6,
> > > > 0x8c8b,
> > > > > > 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+  }+
> > > > > > /// /// This identifies a signature containing a RSA-2048
> > > > > > signature of a
> > > > > > SHA-256 hash.  The /// SignatureHeader size shall always be 0.
> > > > > > The SignatureSize shall always be
> > > > > > 16 (size of@@ -330,6 +354,8 @@ typedef struct {  extern EFI_GUID
> > > > > > gEfiImageSecurityDatabaseGuid; extern EFI_GUID
> > > > > > gEfiCertSha256Guid; extern EFI_GUID  gEfiCertRsa2048Guid;+extern
> > > > > > EFI_GUID gEfiCertRsa3072Guid;+extern EFI_GUID
> > > > > > gEfiCertRsa4096Guid; extern EFI_GUID  gEfiCertRsa2048Sha256Guid;
> > > > > > extern EFI_GUID gEfiCertSha1Guid; extern EFI_GUID
> > > > > > gEfiCertRsa2048Sha1Guid;diff --git a/MdePkg/MdePkg.dec
> > > > > > b/MdePkg/MdePkg.dec index
> > > > > > b85614992b..24e4779d33 100644
> > > > > > --- a/MdePkg/MdePkg.dec
> > > > > > +++ b/MdePkg/MdePkg.dec
> > > > > > @@ -581,6 +581,8 @@
> > > > > >    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a,
> > > > > > 0x4596,
> > > {0xa3,
> > > > > > 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}   gEfiCertSha256Guid
> > > =
> > > > > > { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36,
> > > > > > 0x93, 0x43,
> > > > > 0x28 }}
> > > > > > gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34,
> > > {0xaa, 0x14,
> > > > > 0xed,
> > > > > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+  gEfiCertRsa3072Guid            =
> > > > { 0xedd320c2,
> > > > > > 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> > > > > > gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412,
> > > {0x85, 0x73,
> > > > > 0x15,
> > > > > > 0x4e, 0x8d, 0x00, 0x98, 0x2c }}   gEfiCertRsa2048Sha256Guid      =
> > > > > { 0xe2b36190,
> > > > > > 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > > > > > gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9,
> > > {0xb1, 0x87, 0xbe,
> > > > > > 0x1, 0x49, 0x66, 0x31, 0xbd }}   gEfiCertRsa2048Sha1Guid        =
> > > > { 0x67f8444f,
> > > > > > 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80
> > > > > > }}--
> > > > > > 2.26.2.windows.1
> > > > > >
> > > > > >
> > > > > >
> > > > > > -=-=-=-=-=-=
> > > > > > Groups.io Links: You receive all messages sent to this group.
> > > > > > View/Reply Online (#107294):
> > > > > > https://edk2.groups.io/g/devel/message/107294
> > > > > > Mute This Topic: https://groups.io/mt/100385942/2558558
> > > > > > Group Owner: devel+owner@edk2.groups.io
> > > > > > Unsubscribe: https://edk2.groups.io/g/devel/unsub
> > > > > > [w.sheng@intel.com]
> > > > > > - =-=-=-=-=-=
> > > > > >
> >
> >



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107526): https://edk2.groups.io/g/devel/message/107526
Mute This Topic: https://groups.io/mt/100521910/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096
  2023-08-03  8:12             ` Yao, Jiewen
@ 2023-08-07  9:17               ` Sheng Wei
  0 siblings, 0 replies; 17+ messages in thread
From: Sheng Wei @ 2023-08-07  9:17 UTC (permalink / raw)
  To: Yao, Jiewen, Gao, Liming, devel@edk2.groups.io
  Cc: Wang, Jian J, Xu, Min M, Chen, Zeyi, Wang, Fiona, Lu, Xiaoyu1,
	Jiang, Guomin, Kinney, Michael D

Hi Jiewen,
I remove the new GUIDs.
I use signature type gEfiCertX509Guid when enroll RSA3072/RSA4096 KEK.
This signature type is used in below 6 places.
1) Show key name string in KEK delete page                     UpdateDeletePage()
2) Check supported SignatureType when delete KEK       DeleteKeyExchangeKey()
3) Check supported SignatureType when delete KEK       DeleteSignature()
4) Show key name when load the Signature                      LoadSignatureList()
5) Show help info string when load the Signature             FormatHelpInfo()
6) Check supported SignatureType                                       CheckSignatureListFormat()

It is no need to change MdePkg.
All the changes are in CryptoPkg and SecurityPkg.
I did the local unit test and raised the patch v6.
Could you help to review/merge the patches ?

Thank you
BR
Sheng Wei

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: 2023年8月3日 16:13
> To: Sheng, W <w.sheng@intel.com>; Gao, Liming
> <gaoliming@byosoft.com.cn>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
> Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> CERT_RSA3072 and CERT_RSA4096
> 
> Hey
> We cannot add anything not defined in UEFI spec yet. Thanks Liming to catch
> that.
> 
> Can you remove CERT_RSA3072 and CERT_RSA4096?
> 
> I think we need to use EFI_CERT_TYPE_PKCS7_GUID + EFI_CERT_X509_GUID
> to support RSA3072 and RSA4096.
> Have you validated that configuration?
> 
> 
> > -----Original Message-----
> > From: Sheng, W <w.sheng@intel.com>
> > Sent: Thursday, August 3, 2023 3:29 PM
> > To: Gao, Liming <gaoliming@byosoft.com.cn>; devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu, Xiaoyu1
> > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>;
> > Kinney, Michael D <michael.d.kinney@intel.com>
> > Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > CERT_RSA3072 and CERT_RSA4096
> >
> > Hi Liming,
> > Sorry for the late response.
> > The two new GUID are not in the public UEFI spec yet.
> > Do we have any process to add these 2 new GUIDs ?
> > Thank you.
> > BR
> > Sheng Wei
> >
> >
> >
> > > -----Original Message-----
> > > From: gaoliming <gaoliming@byosoft.com.cn>
> > > Sent: 2023年8月2日 17:12
> > > To: Sheng, W <w.sheng@intel.com>; devel@edk2.groups.io
> > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen, Zeyi
> > > <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>; Lu,
> > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > <michael.d.kinney@intel.com>
> > > Subject: 回复: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID
> > > for
> > > CERT_RSA3072 and CERT_RSA4096
> > >
> > > Sheng Wei:
> > >   I gave my comments for the patch 1/3 on this morning. Have you got
> > > my response?
> > >
> > >   I just want to confirm whether these two new GUID are in the
> > > public UEFI spec or not.
> > >
> > > Thanks
> > > Liming
> > > > -----邮件原件-----
> > > > 发件人: Sheng, W <w.sheng@intel.com>
> > > > 发送时间: 2023年8月2日 16:04
> > > > 收件人: devel@edk2.groups.io; Gao, Liming
> <gaoliming@byosoft.com.cn>
> > > > 抄送: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen,
> > > > Zeyi <zeyi.chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> > > > Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > > <michael.d.kinney@intel.com>
> > > > 主题: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for
> > > > CERT_RSA3072 and CERT_RSA4096
> > > >
> > > > Hi Gao, Liming,
> > > > For this patch group, we have got review-by from Yao, Jiewen on
> > > > patch
> > > > 2/3(CryptoPkg) and patch 3/3(SecurityPkg).
> > > > Do you any comments on the patch 1/3 (MdePkg) ?
> > > > Patch 1/3 is only to add 2 new GUIDs.
> > > > Could you help to merge it ?
> > > >
> > > > Thank you.
> > > > BR
> > > > Sheng Wei
> > > >
> > > > > -----Original Message-----
> > > > > From: Sheng, W
> > > > > Sent: 2023年7月31日 10:02
> > > > > To: 'devel@edk2.groups.io' <devel@edk2.groups.io>; Gao, Liming
> > > > > <gaoliming@byosoft.com.cn>
> > > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Chen,
> > > > > Zeyi <Zeyi.Chen@intel.com>; Wang, Fiona <fiona.wang@intel.com>;
> > > > > Lu,
> > > > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > > <Guomin.Jiang@intel.com>; Kinney, Michael D
> > > > > <michael.d.kinney@intel.com>
> > > > > Subject: RE: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add
> > > > > GUID for
> > > > > CERT_RSA3072 and CERT_RSA4096
> > > > >
> > > > > Hi Gao, Liming,
> > > > > Could you help to review and merge this patch to MdePkg?
> > > > > This patch is only to add 2 new GUIDs.
> > > > > These 2 GUIDs will be used for adding RSA3072/RSA4096 cert
> > > > > support for secure boot feature.
> > > > > Thank you.
> > > > > BR
> > > > > Sheng Wei
> > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf
> > > > > > > Of
> > > > > Sheng
> > > > > > > Wei
> > > > > > > Sent: 2023年7月27日 14:35
> > > > > > > To: devel@edk2.groups.io
> > > > > > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > > > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > > > > > Chen, Zeyi <zeyi.chen@intel.com>; Wang, Fiona
> > > > > > > <fiona.wang@intel.com>; Lu,
> > > > > > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin
> > > > > > > <guomin.jiang@intel.com>; Kinney, Michael D
> > > > > > > <michael.d.kinney@intel.com>; Gao, Liming
> > > > <gaoliming@byosoft.com.cn>
> > > > > > > Subject: [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add
> > > > > > > GUID for
> > > > > > > CERT_RSA3072 and CERT_RSA4096
> > > > > > >
> > > > > > > Add gEfiCertRsa3072Guid and gEfiCertRsa4096Guid
> > > > > > >
> > > > > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > > > > Cc: Min Xu <min.m.xu@intel.com>
> > > > > > > Cc: Zeyi Chen <zeyi.chen@intel.com>
> > > > > > > Cc: Fiona Wang <fiona.wang@intel.com>
> > > > > > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > > > > > > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > > > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > > > > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > > > > > > Signed-off-by: Sheng Wei <w.sheng@intel.com>
> > > > > > > ---
> > > > > > >  MdePkg/Include/Guid/ImageAuthentication.h | 26
> > > > > > > +++++++++++++++++++++++
> > > > > > >  MdePkg/MdePkg.dec                         |  2 ++
> > > > > > >  2 files changed, 28 insertions(+)
> > > > > > >
> > > > > > > diff --git a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > index fe83596571..c8ea2c14fb 100644
> > > > > > > --- a/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > +++ b/MdePkg/Include/Guid/ImageAuthentication.h
> > > > > > > @@ -144,6 +144,30 @@ typedef struct {
> > > > > > >      0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77,
> > > > > > > 0x6e,
> > > 0x85,
> > > > 0xb3,
> > > > > > > 0xb6} \   } +///+/// This identifies a signature containing an
> > > RSA-3072
> > > > key.
> > > > > > The
> > > > > > > key (only the modulus+/// since the public key exponent is
> > > > > > > known to be
> > > > > > > 0x10001) shall be stored in big-endian+/// order.+/// The
> > > > > > > SignatureHeader size shall always be 0. The SignatureSize
> > > > > > > shall always be 16 (size+/// of SignatureOwner component) +
> > > > > > > 384
> > > > > bytes.+///+#define
> > > > > > > EFI_CERT_RSA3072_GUID \+  { \+    0xedd320c2, 0xb057, 0x4b8e,
> > > > {0xad,
> > > > > > 0x46,
> > > > > > > 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 } \+  }++///+/// This
> > > > > > > identifies a signature containing an RSA-4096 key. The key
> > > > > > > (only the
> > > > > > > modulus+/// since the public key exponent is known to be
> > > > > > > modulus+0x10001)
> > > > > > > shall be stored in big-endian+/// order.+/// The
> > > > > > > SignatureHeader size shall always be 0. The SignatureSize
> > > > > > > shall always be 16 (size+/// of SignatureOwner
> > > > > > component) + 512
> > > > > > > bytes.+///+#define EFI_CERT_RSA4096_GUID \+  { \+
> > > > 0xb23e89a6,
> > > > > 0x8c8b,
> > > > > > > 0x4412, {0x85, 0x73, 0x15, 0x4e, 0x8d, 0x00, 0x98, 0x2c } \+
> > > > > > > }+ /// /// This identifies a signature containing a RSA-2048
> > > > > > > signature of a
> > > > > > > SHA-256 hash.  The /// SignatureHeader size shall always be 0.
> > > > > > > The SignatureSize shall always be
> > > > > > > 16 (size of@@ -330,6 +354,8 @@ typedef struct {  extern
> > > > > > > EFI_GUID gEfiImageSecurityDatabaseGuid; extern EFI_GUID
> > > > > > > gEfiCertSha256Guid; extern EFI_GUID
> > > > > > > gEfiCertRsa2048Guid;+extern EFI_GUID
> > > > > > > gEfiCertRsa3072Guid;+extern EFI_GUID gEfiCertRsa4096Guid;
> > > > > > > extern EFI_GUID  gEfiCertRsa2048Sha256Guid; extern EFI_GUID
> > > > > > > gEfiCertSha1Guid; extern EFI_GUID
> > > > > > > gEfiCertRsa2048Sha1Guid;diff --git a/MdePkg/MdePkg.dec
> > > > > > > b/MdePkg/MdePkg.dec index
> > > > > > > b85614992b..24e4779d33 100644
> > > > > > > --- a/MdePkg/MdePkg.dec
> > > > > > > +++ b/MdePkg/MdePkg.dec
> > > > > > > @@ -581,6 +581,8 @@
> > > > > > >    gEfiImageSecurityDatabaseGuid  = { 0xd719b2cb, 0x3d3a,
> > > > > > > 0x4596,
> > > > {0xa3,
> > > > > > > 0xbc, 0xda, 0xd0,  0xe, 0x67, 0x65, 0x6f }}   gEfiCertSha256Guid
> > > > =
> > > > > > > { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36,
> > > > > > > 0x93, 0x43,
> > > > > > 0x28 }}
> > > > > > > gEfiCertRsa2048Guid            = { 0x3c5766e8, 0x269c, 0x4e34,
> > > > {0xaa, 0x14,
> > > > > > 0xed,
> > > > > > > 0x77, 0x6e, 0x85, 0xb3, 0xb6 }}+  gEfiCertRsa3072Guid            =
> > > > > { 0xedd320c2,
> > > > > > > 0xb057, 0x4b8e, {0xad, 0x46, 0x2c, 0x9b, 0x85, 0x89, 0xee, 0x92 }}+
> > > > > > > gEfiCertRsa4096Guid            = { 0xb23e89a6, 0x8c8b, 0x4412,
> > > > {0x85, 0x73,
> > > > > > 0x15,
> > > > > > > 0x4e, 0x8d, 0x00, 0x98, 0x2c }}   gEfiCertRsa2048Sha256Guid      =
> > > > > > { 0xe2b36190,
> > > > > > > 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }}
> > > > > > > gEfiCertSha1Guid               = { 0x826ca512, 0xcf10, 0x4ac9,
> > > > {0xb1, 0x87, 0xbe,
> > > > > > > 0x1, 0x49, 0x66, 0x31, 0xbd }}   gEfiCertRsa2048Sha1Guid        =
> > > > > { 0x67f8444f,
> > > > > > > 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60,
> > > > > > > 0x80
> > > > > > > }}--
> > > > > > > 2.26.2.windows.1
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -=-=-=-=-=-=
> > > > > > > Groups.io Links: You receive all messages sent to this group.
> > > > > > > View/Reply Online (#107294):
> > > > > > > https://edk2.groups.io/g/devel/message/107294
> > > > > > > Mute This Topic: https://groups.io/mt/100385942/2558558
> > > > > > > Group Owner: devel+owner@edk2.groups.io
> > > > > > > Unsubscribe: https://edk2.groups.io/g/devel/unsub
> > > > > > > [w.sheng@intel.com]
> > > > > > > - =-=-=-=-=-=
> > > > > > >
> > >
> > >



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#107614): https://edk2.groups.io/g/devel/message/107614
Mute This Topic: https://groups.io/mt/100521910/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2023-08-07  9:18 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-27  6:35 [edk2-devel] [PATCH V5 0/3] SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
2023-07-27  6:35 ` [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 Sheng Wei
2023-07-27  6:35 ` [edk2-devel] [PATCH V5 2/3] CryptoPkg/Library/BaseCryptLib: add sha384 and sha512 to ImageTimestampVerify Sheng Wei
2023-07-27  9:42   ` Yao, Jiewen
2023-07-27  6:35 ` [edk2-devel] [PATCH V5 3/3] SecurityPkg/SecureBoot: Support RSA 512 and RSA 384 Sheng Wei
2023-07-28  2:34   ` Yao, Jiewen
2023-07-27  9:44 ` [edk2-devel] [PATCH V5 0/3] SecureBoot: " Yao, Jiewen
2023-07-28  1:49   ` Sheng Wei
2023-07-28  2:15     ` Yao, Jiewen
     [not found] ` <1775A5F91CFEF78E.27447@groups.io>
2023-07-28  4:32   ` [edk2-devel] [PATCH V5 1/3] MdePkg/Include: Add GUID for CERT_RSA3072 and CERT_RSA4096 Sheng Wei
2023-07-31  2:01     ` Sheng Wei
2023-08-02  2:58       ` 回复: " gaoliming via groups.io
2023-08-02  8:03       ` Sheng Wei
2023-08-02  9:12         ` 回复: " gaoliming via groups.io
2023-08-03  7:29           ` Sheng Wei
2023-08-03  8:12             ` Yao, Jiewen
2023-08-07  9:17               ` Sheng Wei

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox